'NBA 2K' Video Game Maker Beats Lawsuit Over Biometric Face-Scanning

Brimstone Facial Capture - H 2014
Courtesy of Digital Domain

Brimstone Facial Capture - H 2014

Take-Two Interactive Software has prevailed in a cutting-edge dispute over biometric data for its video games. On Monday, a New York federal judge rejected a proposed class action that challenged the way the video game company was collecting facial scans of those who created personalized virtual basketball players in NBA 2K15 and NBA 2K16. The plaintiffs claimed a violation of the Illinois Biometric Information Privacy Act, but in dismissing the complaint with prejudice, U.S. District Judge John Koetl rules the game players haven't established sufficient injury to proceed.

Digital avatars are on the rise. And entertainment and media companies are increasingly using face-scanning technologies in novel ways. Meanwhile, upon growing concern of how biometric identifiers like fingerprints could be misused, Illinois passed a law in 2008 to safeguard consumer privacy. Now, Facebook, Google, Snap and other companies are defending allegations of breaching this law in putative class actions.

Take-Two was hit with a lawsuit in October 2015 over the "MyPlayer" feature of its NBA 2K series of games. To create avatars, the system uses cameras connected to PS4 and Xbox to scan the gamer's face and head. The process takes about 15 minutes, and gamers doing this have to agree to terms and conditions noting that the face scan will be visible to others. Afterward, Take-Two allegedly stores the biometric information indefinitely on its servers.

In the lawsuit, the plaintiffs claimed the company had failed to obtain their informed consent. They alleged not fully understanding Take-Two's practices with respect to biometric information upon purchase and not having any recourse to return the game once they did. Even if they could get back their money, the suing gamers say that Take-Two failed to inform them in writing how the facial scans would be retained and disseminated.

Unfortunately for these gamers, the U.S. Supreme Court made their path to legal victory much tougher in Spokeo v. Robins, a 2015 decision determining that plaintiffs must show an injury both "concrete and particularized" in order to have standing to sue. In the aftermath of Spokeo, lower courts throughout the nation have dealt with interpreting the high court's directive with respect to newer disputes.

In the lawsuit over basketball player avatars, the plaintiffs attempted to showcase their injury by pointing to their broad privacy concerns as well as apprehension about engaging in future biometric-facilitated transactions.

Koetl rules it's not enough.

"The plaintiffs allege that they agreed to the MyPlayer terms and conditions, that NBA 2K15 scanned their faces to create personalized basketball avatars, and that the plaintiffs used their personalized basketball avatars for in-game play," he writes. "The plaintiffs thus allege that the MyPlayer feature functioned exactly as anticipated. There is no allegation that Take-Two has disseminated or sold the plaintiffs’ biometric data to third- parties, or that Take-Two has used the plaintiffs’ biometric information in any way not contemplated by the only possible use of the MyPlayer feature: the creation of personalized basketball avatars for in-game play. … The purported violations of the BIPA are, at best, marginal, and the plaintiffs lack standing to pursue their claims for the alleged bare procedural violations of the BIPA."

Koetl goes on to say that the plaintiffs have failed to establish an imminent risk of harm from Take-Two's storage and dissemination. He rejects the argument that because biometric identifiers like face scans can't be changed like passwords, the risk is potentially great. Maybe so, but the judge says the fears are still "highly speculative and abstract."

Finally, Koetl shrugs off the objection to the alleged lack of notice and consent. 

In the opinion (read here), he writes, "At best, more extensive notice and consent could have dissuaded the plaintiffs from using the MyPlayer feature, meaning that Take-Two would have never collected the plaintiffs’ biometrics. But the plaintiffs have failed to establish that their use of the MyPlayer feature resulted in any imminent risk that the data protection goal of the BIPA would be frustrated. Consequently, more extensive notice and consent could not have altered the standing equation because there has been no material risk of harm to a concrete BIPA interest that more extensive notice and consent would have avoided."

Take-Two was represented by Robert Schwartz, Victor Jih, Derek Flores, Molly Russell and Nathaniel Lipanovich at Irell & Manella.