Face Scanning Lawsuit Against Shutterfly Survives Motion to Dismiss

This is a lawsuit against Shutterfly alleging violations of Illinois’ biometric information privacy act. The plaintiff, who is not a Shutterfly customer, alleged that a photograph of him was uploaded (by a Shutterfly customer) to Shutterfly’s site and the uploader was then prompted to tag the face with a name. Plaintiff alleged that Shutterfly also extracted additional information “regarding [plaintiff’s] gender, age, race, and geographical location.” Plaintiff did not consent to this collection of information. Shutterfly moved to dismiss on several grounds. The court rejects its request, allowing the lawsuit to proceed.

Applicability of BIPA: The key question was whether BIPA applied to the information Shutterfly extracted. Other companies have been unsuccessful in arguing that information extracted from a photograph is not covered by BIPA. As the court acknowledges, the argument has obvious appeal, given that the definition of “biometric identifier” expressly excludes “photographs” and the definition of “biometric information” further excludes information “derived from items . . . excluded under the definition of barometric identifiers.” However, the court says Shutterfly’s interpretation would limit applicability of the term “scan of face geometry” to only an in-person scan. This narrow interpretation is contrary to the spirit and history of the statute. Shutterfly argued many of the other categories of “biometric identifiers” (iris scans, fingerprints, hand scans) cover information derived from in-person transactions and thus face scans should be treated similarly. The court questions whether this is accurate in light of evolving technology. In any event, the court says the statute is intended to have an expansive reach, and Shutterfly’s interpretation is unduly narrow (and would not account for evolving technologies).

Extraterritoriality/ Commerce Clause: Shutterfly argued that the statute should not apply extraterritorially; and if it did, it would violate the dormant Commerce Clause. The court agrees that the statute is not meant to apply extraterritorially, but says at the pleading stage there are enough allegations that violations of the statute took place in Illinois (or are indeterminate) (“given that [plaintiff’s] biometric data was extracted and stored in cyberspace, how is their physical location to be determined?”). The court also rejects the Dormant Commerce Clause argument, noting among other things that the proposed class is narrowly structured to apply only to photos “uploaded in Illinois”. There is little evidence at this stage that an Illinois law is being used to regulate conduct occurring wholly outside the state.

Damages: Shutterfly finally argued that there was no allegation of “actual damages”.  The court also rejects this argument saying that the plaintiff need only show that Shutterfly violated the statute. In so doing, the court part ways with a few other courts who have required some showing of damages. The court discusses Spokeo in a footnote, finding that plaintiff has alleged sufficient injury-in-fact for Article III standing purposes.


This is a pretty interesting opinion on all counts, although not a groundbreaking ruling on the question whether scanning uploaded photos implicates the Illinois biometric information privacy statute.

As the court notes, Texas and Illinois have passed a biometric privacy statute. Washington has a statute as well, but it’s slightly different. (See this BNA article noting some differences: “Washington Biometric Privacy Law Lacks Teeth of Illinois Cousin“.) The Illinois statute is far from clear as reflected by several court rulings. It appears that “biometric information” is intended to capture information derived from “biometric identifiers” so the exclusion of photographs from the latter should be the beginning and the end of the analysis. Nevertheless, this court is not alone in rejecting the argument of a company who used technology to “tag” someone in a photo. The court’s citation to the news articles reflecting advances in biometric extraction technology smacks a bit of panic. (See also this Guardian article: “AI can tell if people are gay or straight with one photo of their face“.)

There’s an undercurrent of the ruling that it’s limited in some way to acts that occur in Illinois, but as a practical matter, I wonder how easy it would be for a company such as Shutterfly to exclude Illinois from the locales where it scans photos. Although the court does not delve into precisely how locale is determined and how Shutterfly would go about excluding Illinois if it so wished to, I suspect it’s much easier said than done. This seems much more complicated than, say, restricting content in a particular jurisdiction, which itself seems like a challenge at best. Defendants’ arguments in these cases are vaguely reminiscent of the challenges to anti-spam laws, which mostly failed.

Finally, there is the standing/damages question. Since this case involves state law, it’s different from Spokeo (which dealt with the ability of Congress to carve out standing) but nevertheless the fact that Spokeo only warrants a footnote is noteworthy.

Case citation: Monroy v. Shutterfly, Inc., 2017 US Dist LEXIS 149604 (N.D. Ill. Sept. 15, 2017)

Related posts:

Facebook Gets Bad Ruling In Face-Scanning Privacy Case–In re Facebook Biometric Information Privacy Litigation

Shutterfly Can’t Shake Face-Scanning Privacy Lawsuit

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Disney Not Liable For Disclosing Device IDs And Viewing Habits

App Users Aren’t “Subscribers” Under the VPPA–Ellis v. Cartoon Network

Ninth Circuit Rejects Video Privacy Protection Act Claims Against Sony

AARP Defeats Lawsuit for Sharing Information With Facebook and Adobe

9th Circuit Rejects VPPA Claims Against Netflix For Intra-Household Disclosures

Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Is Sacramento The World’s Capital of Internet Privacy Regulation? (Forbes Cross-Post)

Hulu Unable to Shake Video Privacy Protection Act Claims

California Assembly Hearing, “Balancing Privacy and Opportunity in the Internet Age,” SCU, Dec. 12

It’s Illegal For Offline Retailers To Collect Email Addresses–Capp v. Nordstrom

California Supreme Court: Retail Privacy Statute Doesn’t Apply to Download Transactions – Apple v Superior Court (Krescent)

CA Court Confirms that Pineda v Williams-Sonoma (the Zip-Code-as-PII Case) Applies Retrospectively — Dardarian v. OfficeMax

California Supreme Court Rules That a ZIP Code is Personal Identification Information — Pineda v. Williams-Sonoma