HADIT SANTANA, Plaintiff, VANESSA VIGIL, RICARDO VIGIL, Plaintiffs-Appellants, v. TAKE-TWO INTERACTIVE SOFTWARE, INC., Defendant-Appellee.
UPON DUE CONSIDERATION, IT IS HEREBY ORDERED, ADJUDGED, AND DECREED that the judgment of the district court is AFFIRMED IN PART and VACATED IN PART, and the case is REMANDED with the instruction that the court shall amend its judgment and enter dismissal without prejudice.
Plaintiffs-Appellants Ricardo Vigil and Vanessa Vigil appeal from a final judgment dismissing their second amended complaint (“SAC”) with prejudice, entered on January 30, 2017, by the United States District Court for the Southern District of New York (Koeltl, J.). We assume the parties' familiarity with the underlying facts, procedural history, and issues on appeal.
Defendant-Appellee Take-Two Interactive Software, Inc. is a publisher, developer, and distributor of video games, including “NBA 2K15” and “NBA 2K16.” The NBA 2K15 and NBA 2K16 games contain a feature called “MyPlayer,” which allows gamers to create a personalized basketball player that has a realistic 3-D rendition of the gamer's face, also known as an “avatar.” If a gamer chooses to play with the avatar in the games' online, “multiplayer” mode, then other players who participate in the same multiplayer match will see the rendition of the gamer's “face” during gameplay.
To create a MyPlayer avatar, a gamer must first agree to the following terms and conditions, which are presented on the viewer's television screen or monitor:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula.
App. 23. Only after viewing this screen and pressing “continue” can a gamer access the MyPlayer feature. Id.
The 3-D mapping process uses cameras to capture a scan of the gamer's facial geometry, which is then used to disseminate a realistic rendition of the gamer's face. Gamers must hold their faces within 6 to 12 inches of the camera and slowly turn their heads 30 degrees to the left and to the right during the scanning process. Id. at 23-24. The process of scanning the face takes about 15 minutes. Id.
Ricardo Vigil purchased NBA 2K15 and his sister, Vanessa Vigil, played his copy of the game.1 Both plaintiffs used the MyPlayer feature and followed the above-described procedure to create their MyPlayer avatars. On October 19, 2015, plaintiffs brought claims against Take-Two in the United States District Court for the Southern District of New York (Koeltl, J.) alleging five violations of the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. (“BIPA”). The statute governs the collection, storage, and dissemination of individuals' “biometric identifiers” and “biometric information” by private entities, and defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” and “biometric information” as information based on “biometric identifiers.” 2 Id. § 14/10. Plaintiffs allege that Take-Two: (1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs' biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs' biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.
Take-Two moved to dismiss plaintiffs' claims for lack of Article III standing and for failure to state a cause of action under the statute (i.e., lack of “statutory standing”).3 The district court granted the motion on both grounds and dismissed the action with prejudice on January 30, 2017, and the clerk entered final judgment the same day. Plaintiffs timely appealed.
We begin with Article III standing. The principles for evaluating whether plaintiffs have constitutional standing for a procedural violation of law are set forth in our trio of decisions in Strubel v. Comenity Bank, 842 F.3d 181 (2d Cir. 2016), Crupar-Weinmann v. Paris Baguette Am., Inc., 861 F.3d 76 (2d Cir. 2017), and Katz v. Donna Karan Co., L.L.C., 872 F.3d 114 (2d Cir. 2017). A plaintiff's pleading must establish “first, that ‘Congress conferred the procedural right to protect a plaintiff's concrete interests' as to the harm in question, and second, that ‘the procedural violation presents a risk of real harm to that concrete interest.’ ” Katz, 872 F.3d at 119 (quoting Strubel, 842 F.3d at 190).
“The first of these two issues – determining the scope and purpose of the procedural right provided by the statute – is a question of law” that we review de novo. Id. The second issue – whether a bare procedural violation presents a material risk of harm to a concrete interest – “may raise either a question of law or a question of fact, depending on the sources the parties rely on in their pleadings.” Id. Where, as here, a defendant makes a “facial challenge to standing, i.e., one ‘based solely on the allegations of the complaint or the complaint and exhibits attached to it,’ ” we review the district court's decision de novo.4 Id. (quoting Carter v. HealthPort Techs., LLC, 822 F.3d 47, 56 (2d Cir. 2016)).
The parties do not materially dispute the first issue of our inquiry. Plaintiffs concede that BIPA is implicated only if their biometric data is collected or disseminated without their authorization or if a procedural violation creates a material risk of such an outcome, Pls.' Br. 25, which is essentially the same as Take-Two's position. Def.'s Br. 3-4, 15-16. We accordingly assume without deciding that BIPA's purpose is to prevent the unauthorized use, collection, or disclosure of an individual's biometric data.
We further conclude, pursuant to the second step of our inquiry, that none of the alleged procedural violations here raise a material risk of harm to this interest. Although plaintiffs allege that Take-Two collected and disclosed their biometric data without their authorization, there is no dispute that Take-Two informed them that the MyPlayer feature required a “face scan” that would be visible to other players during online gameplay. App. 26. This terminology is sufficient to meet BIPA's mandates under the circumstances here. The statute requires that private entities “inform[ ] the subject ․ in writing that a biometric identifier ․ is being collected or stored,” 740 Ill. Comp. Stat. Ann. 14/15(b)(1), and defines a “biometric identifier,” among other things, as a “scan of ․ face geometry,” id. § 14/10. Thus, to the extent that Take-Two departed from BIPA's requirements, it only did so insofar as it omitted the term, “geometry.”
No reasonable person, however, would believe that the MyPlayer feature was conducting anything other than such a scan. Plaintiffs had to place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes. This degree of invasiveness far exceeded that of a simple photo, and plaintiffs do not plausibly assert (beyond a mere conclusory allegation) that they would have withheld their consent had Take-Two included the missing term.5 See Strubel, 842 F.3d at 193 (plaintiff failed to allege a material risk of harm where she did not “assert that the allegedly flawed notice caused her ․ behavior to be different from what it would have been”).
Take-Two's alleged violations of BIPA's notice provisions similarly fail to raise a material risk of harm. Plaintiffs allege that Take-Two did not inform them of the duration that it would hold their biometric data, as BIPA requires. See 740 Ill. Comp. Stat. Ann. 14/15(a). However, plaintiffs have not shown that this violation, if true, presents a material risk that their biometric data will be misused or disclosed. Plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation. Likewise, although Take-Two did not notify the plaintiffs of its “retention schedule and guidelines for permanently destroying [their] biometric [data],” id., plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take-Two's procedural violations have resulted in plaintiffs' biometric data being used or disclosed without their consent. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1550 (2016) (observing that a credit reporting agency's failure to notify a user of the agency's consumer information would not confer standing where “that information ․ [is] entirely accurate”).
Take-Two's alleged violations of BIPA's data security provisions raise a somewhat thornier issue. BIPA requires entities to use the “reasonable standard of care within [their] industry” to protect the biometric data in their possession and to store and transmit such data in a manner that is as “protective” as that in which they handle “other confidential and sensitive information.” 740 Ill. Comp. Stat. Ann. 14/15(e). Plaintiffs allege that Take-Two violated these provisions by “transmit[ting] ․ unencrypted scans of face geometry via the open, commercial Internet, and not a secure network such as a virtual private network,” and “stor[ing] [p]laintiffs' face templates in a manner that associates their identity with their biometric data.” App. 27.
Although Take-Two asserts that violations of such prophylactic measures confer standing only where there has been a data breach, we do not need to make such a wide-sweeping conclusion.6 Despite multiple opportunities to amend their pleadings, plaintiffs have failed to allege that Take-Two's alleged violations have raised a material risk that their biometric data will be improperly accessed by third parties. They therefore have failed to show a “risk of real harm” sufficient to confer an injury-in-fact. See Spokeo, 136 S. Ct. at 1549.
We lastly find unpersuasive plaintiffs' attempt to manufacture an injury. Plaintiffs assert that “a consumer deprived of BIPA's procedural protections is likely to be deterred from using ․ biometrics to authorize transactions in the future,” Pls.' Br. 34-35, and that they similarly have “refrained from participating in biometric transactions facilitated by, among other things, scans of face geometry.” App. 30. Plaintiffs' fear, without more, is insufficient to confer an Article III injury-in-fact.7 While it is true that BIPA's legislative findings identify consumers' withdrawal from biometric-facilitated transactions as a problem, they clarify that this issue arises only where a consumer's biometric data has been “compromised,” i.e., collected or disclosed without his or her authorization. 740 Ill. Comp. Stat. 14/5(c). Because plaintiffs have failed to establish that Take-Two's procedural violations have created a material risk that this will occur, they cannot now leapfrog this obligation by imposing an injury upon themselves.
Although we find for the foregoing reasons that the district court properly held that the plaintiffs lack Article III standing, we nonetheless must remand with the instruction that the court shall amend its judgment and enter dismissal without prejudice. A complaint dismissed for lack of Article III standing should be without prejudice because the court is without subject matter jurisdiction. Katz, 872 F.3d at 121. To be sure, the district court has discretion to decide “certain threshold bases for dismissal without deciding whether it has subject matter jurisdiction,” and “under certain circumstances, questions of ‘statutory standing ․ may properly be treated before Article III standing.’ ” In re Facebook, Inc. Initial Pub. Offering Derivative Litig., 797 F.3d 148, 155-56 (2d Cir. 2015) (quoting Ortiz v. Fibreboard Corp., 527 U.S. 815, 831 (1999)). This, however, is not such a circumstance.
Courts may adjudicate statutory standing prior to Article III issues only where deciding statutory standing does not constitute a “definitive ruling on the merits.” Alliance For Envtl. Renewal, Inc. v. Pyramid Crossgates Co., 436 F.3d 82, 87 (2d Cir. 2006). Where “the parties' standing arguments [are] based upon differing constructions of the governing statute,” however, plaintiffs' “ ‘standing to bring this action turns on the merits of the action itself.’ ” Id. (quoting Atl. States Legal Found., Inc. v. Eastman Kodak Co., 12 F.3d 353, 357 (2d Cir. 1993)). Since the statutory standing arguments here are based on differing constructions of the term “aggrieved party” as used in BIPA, the district court's resolution of the issue was a judgment on the merits that could not be properly addressed absent subject matter jurisdiction. The district court was therefore without power to dismiss the complaint with prejudice for failure to state a cause of action under the statute.
We have considered all of plaintiffs' contentions on appeal and have found in them no basis for reversal. For the reasons stated herein, the judgment of the district court is AFFIRMED IN PART insofar as it held that plaintiffs lack Article III standing, but is VACATED IN PART insofar as it held that the plaintiffs lack a statutory cause of action as “aggrieved” parties. The case is REMANDED with the instruction that the court shall amend its judgment and enter dismissal without prejudice.
FOR THE COURT:
Catherine O'Hagan Wolfe, Clerk
1. Although Ricardo and Vanessa Vigil bring class action claims based on their use of the MyPlayer feature on both the NBA 2K15 and NBA 2K16 video games, App. 30, there is no allegation that any of the named plaintiffs actually used the feature on the NBA 2K16 game.
2. The parties refer to “biometric identifiers” and “biometric information” collectively as “biometric data.” Although this term is not in the statute, we adopt it for the purposes of this summary order for ease of reference.
3. Although Take-Two framed its second argument for dismissal as based on “statutory standing” grounds, the district court correctly observed “that what has been called ‘statutory standing’ in fact is not a standing issue, but simply a question of whether the particular plaintiff ‘has a cause of action under the statute,’ ” and therefore appropriately framed the issue as whether the plaintiffs had a cause of action under the statute. See Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499, 507 n.5 (S.D.N.Y. 2017) (quoting Am. Psychiatric Ass'n v. Anthem Health Plans, Inc., 821 F.3d 352, 359 (2d Cir. 2016)). While we will continue to “avoid [the statutory standing] appellation going forward,” see Am. Psychiatric Ass'n, 821 F.3d at 359, we nonetheless use the term where necessary in this summary order when quoting previous decisions by this Court.
4. Although these principles arose out of decisions involving alleged violations of federal laws, the parties do not argue that our analysis should proceed any differently when a state law is at issue. We accordingly assume for the purposes of this appeal that the foregoing Article III standing analysis applies to alleged procedural violations of BIPA as well.
5. The second amended complaint (“SAC”) states that had Ricardo Vigil known “that Take-Two would collect ․ his unique biometric identifiers and/or biometric information without his informed written consent ․ , [he] would not have purchased the NBA 2k15 video game.” App. 29. While that may be true, the pleadings do not allege that Take-Two's omission of the term “geometry” actually led plaintiffs to unwittingly turn over their biometric identifiers.
6. Although there is some ambiguity in the decision below, we do not interpret the district court as having held that violations of BIPA's data security provisions confer standing only where there has been an actual data breach.
7. We note that pursuant to the Supreme Court's decision in Clapper v. Amnesty Int'l USA, 568 U.S. 398, 414 n.5 (2013), a plaintiff may establish an Article III injury-in-fact where there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Id. (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 153 (2010)). Because we find that plaintiffs have failed to establish a “substantial risk” of harm, we do not reach whether plaintiffs incurred reasonable mitigation costs.