- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
February 16th, 2017
No Harm, No Foul: Court Dismisses Biometric Data Privacy Class Action Against NBA 2K Games
Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. And biometrics are behind some cool new in-game offerings in the interactive entertainment and social media space. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation. On January 30, 2017, the Southern District of New York dismissed one such litigation brought against video game publisher Take-Two Interactive Software, Inc. for alleged violation of the Illinois Biometric Information Privacy Act ("BIPA"). Here's a summary.
Take-Two's NBA 2K15 and NBA 2K16 games contained a "MyPlayer" feature allowing users to create custom in-game characters based on detailed 3D facial scans using a webcam or other peripheral device. BIPA safeguards the use of biometric data by private entities in connection with financial or commercial transactions, and regulates the collection, distribution and storage of biometric data, which includes unique personal identifiers such as retina scans, fingerprints, voiceprints, or scans of the hand or face. BIPA requires companies to disclose their procedures and data retention policies, and obtain customer consent before collecting or transferring the data. BIPA also sets the "standard of care" for data security measures, and provides that individuals "aggrieved" can sue to recover attorney's fees and statutory damages of up to $5,000 per violation.
The plaintiffs' suit, entitled Vigil, et al. v. Take-Two Interactive Software, Inc., (No.1:15-cv-08211), alleged that NBA 2K15 and NBA 2K16 violate BIPA. The plaintiffs brought a class action under BIPA, suing on behalf of Illinois residents who used the "MyPlayer" feature. The main issue in the case was whether the plaintiffs had pled an injury sufficient to confer legal "standing" — in other words, whether the plaintiffs had enough of a stake in the matter for a court to legally decide it. The trial court asked the plaintiffs to replead their alleged injuries in light of a new US Supreme Court case on standing: Spokeo, Inc. v. Robins. The plaintiffs' amended complaint identified three potential harms: (1) that the plaintiffs would not have purchased the NBA 2K game if they had known about the alleged BIPA violations; (2) that Take-Two had misappropriated purportedly "valuable" biometric data; and (3) that Take-Two's alleged "indefinite" storage of the data enhanced the risk of a data breach, which could result in the plaintiff's data being compromised.
Motion to Dismiss
Take-Two moved to dismiss the amended complaint for lack of standing, arguing that none of the plaintiffs' claimed damages qualified as a "concrete injury" required to establish standing under Spokeo. Take-Two characterized the plaintiffs' theories as "buyer's remorse," arguing that the plaintiffs had not alleged that their biometric data had value, that Take-Two profited in any way from the use of the biometric data, or that there was any genuine risk of a data breach.
The District Court ruled in favor of Take-Two, dismissing the plaintiffs' claims for lack of standing. The Court held that the core interest protected by BIPA is ensuring that a "private entity protects the individual's biometric data, and does not use that data in a way not contemplated by the underlying transaction." In essence, the plaintiffs' claim failed because they could not show that their data was used in any way other than as advertised: to generate a "MyPlayer" character based on the user's face scan. The Court rejected the "information injury" theory, noting that BIPA is not a statute in which the loss of information amounts to the loss of a substantive right, and denied that BIPA was intended to create a statutory right to privacy in biometric data. In the end, the Court dismissed the plaintiffs' complaint with prejudice, writing that the plaintiffs "cannot aggregate multiple bare procedural violations to create standing where no injury-in-fact otherwise exists."
Many in the tech industry will likely applaud this court's reading of BIPA and willingness to dismiss the case at an early stage. But Vigil is just one of several BIPA cases pending against tech companies; Facebook and Google are each facing similar claims relating to the use of facial-recognition photo-tagging algorithms. Therefore, it remains to be seen whether these companies will succeed in stopping BIPA from becoming the basis for the next wave of mass-tort claims. The stakes here remain high: as biometric information increasingly becomes the way users unlock their mobile devices, authorize both digital and real-world purchases or access other technological features, the opportunities for similar lawsuits will only multiply. Tech companies must be prepared to vet their products and services against an ever-changing, uneven landscape of regulation.
If you have questions about biometric data privacy in video games, or about any other interactive entertainment or privacy matters, contact Sean F. Kane at (212) 705 4845 or firstname.lastname@example.org, S. Gregory Boyd at (212) 826 5581 or email@example.com or any other member of the Frankfurt Kurnit Interactive Entertainment or Privacy and Data Security Groups.
Other Privacy & Data Security Law Alerts
Privacy Considerations for 2023
2023 is around the corner. As a refresher, on January 1, 2023, two new comprehensive privacy laws – the California Privacy Rights Act (“CPRA”) and the Virginia Consumer Data Protection Act (“VCDPA”) – take effect. Read more.
December 6 2022
New York Regulator Says Even One Access Control Failure Can Invalidate Years of Compliance Certifications
The New York Department of Financial Services (“NYDFS”) recently entered into a Consent Order (the “Consent Order”) with EyeMed Vision Care LLC (“EyeMed”) over violations of the agency’s Cybersecurity Requirements (23 NY CRR Part 500) (“Part 500”). Read more.
October 26 2022
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022