AWS Can’t Shake BIPA Lawsuit for Providing Services to NBA 2K–Mayhall v. Amazon
[This opinion from May just showed up in my alerts. I believe that’s because the court and parties are battling over redactions. There have been other decisions involving BIPA, NBA 2K, and sometimes AWS that I haven’t comprehensively blogged. I still figure it’s worth flagging for the ways plaintiffs are reaching behind-the-scenes players.]
This case involves the videogame NBA 2K, not a stranger to this blog. The plaintiffs allege that NBA 2K violates BIPA by scanning players’ faces to make customized avatars. AWS provides services to Take-Two, maker of NBA 2K. “Plaintiff alleges that Amazon stored his face geometry at each regional and edge location through which it passed. Accordingly, every time he played NBA 2K21 with his customized player, Plaintiff alleges that Amazon obtained, disseminated, and stored his biometric information. Plaintiff further alleges that Defendants knew they were collecting biometric data from Illinois citizens, including children, in violation of Illinois state law.”
The plaintiffs claim that AWS “possesses” the biometric data but does not comply with the necessary steps under BIPA. The court gives all benefit of the doubt to the plaintiffs, saying “The FAC alleges that Defendants knowingly obtained users’ face geometry data from Take-Two and that it remains in their control as they disseminate and store it on their servers.” Plus, the court overinterprets AWS’s TOS, saying “Amazon can access and/or control customer content under at least some terms of those very agreements and policies.”
For another part of BIPA, the plaintiffs have to show that AWS “obtained” their biometric data, taking some “active step” to do so. The court says the plaintiffs satisfied this too because “Plaintiff’s allegations establish more than passive possession.”
Amazon also invoked Section 230. The court doesn’t see that either:
The CDA is inapplicable because Plaintiff’s BIPA claims do not treat Amazon’s conduct as publishing. Rather, BIPA imposes legally distinct duties to make certain disclosures and obtain consent before obtaining or using biometric information. These duties do not derive from or even require publishing—they arise from Defendants’ alleged possession, use, and/or dissemination of biometric data without notice or consent
Cite to the federal Social Media Addiction ruling. Amazon argued that it would be weird for it to seek consent from Take-Two’s customers, who otherwise have no dealing with it. The court shrugs its shoulders.
This is a rough ruling for Amazon. It’s also a reminder that vendors deep in the stack (like AWS) want to stay out of their customers’ businesses, but courts aren’t necessarily willing to let them do so. See also the CloudFlare moves and the FOSTA rulings against Salesforce. Stated differently, what exactly do we want vendors like AWS to do…act as a government deputy to police their customers’ possible misdeeds?
Case Citation: Mayhall v. Amazon Web Services Inc., 2024 WL 3842563 (W.D. Wash. May 29, 2024)