In the past few years thanks to various court decisions, it’s become tougher to mount a class action lawsuit with appellate judges tightening what plaintiffs must show in order to have standing to sue. That’s especially important as digital services collect all sorts of data on their users and as many worry about privacy breaches. The latest news on this front came Tuesday at the 2nd Circuit Court of Appeals as some of those who created personalized virtual basketball players in NBA 2K15 and NBA 2K16 got mostly bad news in their legal effort to sue video game maker Take-Two Interactive over biometric collection.
The plaintiffs attempted to bring a case under the Illinois Biometric Information Privacy Act, which was enacted in 2008 upon the appearance of finger-scan technologies at grocery stores, gas stations and school cafeterias plus worries about how such biometric information might be misused. The case was litigated in New York, however, thanks to a forum clause in the user agreement. The suing individuals, who had their faces scanned, alleged Take-Two had failed to obtain their informed consent and attempted to make a case over how their facial geometry was being stored.
Tuesday’s decision reviews the decision by the district judge to dismiss the lawsuit by examining whether the plaintiffs have either constitutional standing or have properly stated a cause of action under the Illinois law. The 2nd Circuit concludes the plaintiffs have neither.
On constitutional standing, the appellate court focused its inquiry on any presentation of a “material risk of harm to a concrete interest.”
The decision notes that Take-Two informed game-players that a “face scan” would be required for the personalized virtual basketball player feature and that the game company met standards for informed consent.
The suing individuals attempted to argue that Take-Two did not inform them of the duration that it would hold their biometric data, as the law required, but the appellate judges still don’t see a material risk presented that their data will be misused or disclosed.
“Plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation,” states the decision. “Likewise, although Take-Two did not notify the plaintiffs of its ‘retention schedule and guidelines for permanently destroying [their] biometric [data],’ id., plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures.”
The 2nd Circuit says alleged violations of the Illinois law’s data security provisions “raise a somewhat thornier issue,” pointing to allegations that Take-Two transmitted face scans using less than secure networks. But ultimately, plaintiffs still have not done enough.
“Although Take-Two asserts that violations of such prophylactic measures confer standing only where there has been a data breach, we do not need to make such a wide-sweeping conclusion,” states the decision. “Despite multiple opportunities to amend their pleadings, plaintiffs have failed to allege that Take-Two’s alleged violations have raised a material risk that their biometric data will be improperly accessed by third parties. They therefore have failed to show a ‘risk of real harm’ sufficient to confer an injury-in-fact.”
The appellate judges aren’t impressed by plaintiffs’ attempt to “manufacture an injury,” as they put it, writing that “plaintiffs’ fear, without more, is insufficient.”
The 2nd Circuit does, however, remand the case back to the district court with an instruction that dismissal should be entered without prejudice, meaning that plaintiffs could have another shot at amending their complaint to show they really are “aggrieved” parties under the Illinois statute in question.