Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
February 16th, 2017
No Harm, No Foul: Court Dismisses Biometric Data Privacy Class Action Against NBA 2K Games
Biometric data — from, e.g., retina, face and fingerprint scans — plays a big role in the current wave of new technology services. For example, biometrics provide security features for financial and healthcare products. And biometrics are behind some cool new in-game offerings in the interactive entertainment and social media space. But companies using or thinking of using biometric data have to comply with myriad privacy and data security laws and regulations, or face potential enforcement action and litigation. On January 30, 2017, the Southern District of New York dismissed one such litigation brought against video game publisher Take-Two Interactive Software, Inc. for alleged violation of the Illinois Biometric Information Privacy Act ("BIPA"). Here's a summary.
Background
Take-Two's NBA 2K15 and NBA 2K16 games contained a "MyPlayer" feature allowing users to create custom in-game characters based on detailed 3D facial scans using a webcam or other peripheral device. BIPA safeguards the use of biometric data by private entities in connection with financial or commercial transactions, and regulates the collection, distribution and storage of biometric data, which includes unique personal identifiers such as retina scans, fingerprints, voiceprints, or scans of the hand or face. BIPA requires companies to disclose their procedures and data retention policies, and obtain customer consent before collecting or transferring the data. BIPA also sets the "standard of care" for data security measures, and provides that individuals "aggrieved" can sue to recover attorney's fees and statutory damages of up to $5,000 per violation.
The plaintiffs' suit, entitled Vigil, et al. v. Take-Two Interactive Software, Inc., (No.1:15-cv-08211), alleged that NBA 2K15 and NBA 2K16 violate BIPA. The plaintiffs brought a class action under BIPA, suing on behalf of Illinois residents who used the "MyPlayer" feature. The main issue in the case was whether the plaintiffs had pled an injury sufficient to confer legal "standing" — in other words, whether the plaintiffs had enough of a stake in the matter for a court to legally decide it. The trial court asked the plaintiffs to replead their alleged injuries in light of a new US Supreme Court case on standing: Spokeo, Inc. v. Robins. The plaintiffs' amended complaint identified three potential harms: (1) that the plaintiffs would not have purchased the NBA 2K game if they had known about the alleged BIPA violations; (2) that Take-Two had misappropriated purportedly "valuable" biometric data; and (3) that Take-Two's alleged "indefinite" storage of the data enhanced the risk of a data breach, which could result in the plaintiff's data being compromised.
Motion to Dismiss
Take-Two moved to dismiss the amended complaint for lack of standing, arguing that none of the plaintiffs' claimed damages qualified as a "concrete injury" required to establish standing under Spokeo. Take-Two characterized the plaintiffs' theories as "buyer's remorse," arguing that the plaintiffs had not alleged that their biometric data had value, that Take-Two profited in any way from the use of the biometric data, or that there was any genuine risk of a data breach.
The District Court ruled in favor of Take-Two, dismissing the plaintiffs' claims for lack of standing. The Court held that the core interest protected by BIPA is ensuring that a "private entity protects the individual's biometric data, and does not use that data in a way not contemplated by the underlying transaction." In essence, the plaintiffs' claim failed because they could not show that their data was used in any way other than as advertised: to generate a "MyPlayer" character based on the user's face scan. The Court rejected the "information injury" theory, noting that BIPA is not a statute in which the loss of information amounts to the loss of a substantive right, and denied that BIPA was intended to create a statutory right to privacy in biometric data. In the end, the Court dismissed the plaintiffs' complaint with prejudice, writing that the plaintiffs "cannot aggregate multiple bare procedural violations to create standing where no injury-in-fact otherwise exists."
Takeaway
Many in the tech industry will likely applaud this court's reading of BIPA and willingness to dismiss the case at an early stage. But Vigil is just one of several BIPA cases pending against tech companies; Facebook and Google are each facing similar claims relating to the use of facial-recognition photo-tagging algorithms. Therefore, it remains to be seen whether these companies will succeed in stopping BIPA from becoming the basis for the next wave of mass-tort claims. The stakes here remain high: as biometric information increasingly becomes the way users unlock their mobile devices, authorize both digital and real-world purchases or access other technological features, the opportunities for similar lawsuits will only multiply. Tech companies must be prepared to vet their products and services against an ever-changing, uneven landscape of regulation.
If you have questions about biometric data privacy in video games, or about any other interactive entertainment or privacy matters, contact Sean F. Kane at (212) 705 4845 or skane@fkks.com, S. Gregory Boyd at (212) 826 5581 or gboyd@fkks.com or any other member of the Frankfurt Kurnit Interactive Entertainment or Privacy and Data Security Groups.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023