NBA Video-Game Maker Dodges Biometric Privacy Class Suit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

An NBA video game face-scanning feature to create customized players didn’t cause sufficient harm to a potential class of consumers to support Illinois biometric privacy statute claims, a federal appeals court affirmed Nov. 21.

The case is another example of how the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robins, which held that a plaintiff must allege a concrete and particularized injury to have legal standing to sue, is cited by courts to limit litigation involving allegations of only procedural violations of statutes.

None of the alleged procedural violations of the Illinois Biometric Information Privacy Act (BIPA) raise material risk of harm to the consumers’ privacy, the U.S. Court of Appeals for the Second Circuit held in a summary order affirming dismissal of the case ( Vigil v. Take-Two Interactive Software, Inc. , 2017 BL 416892, 2d Cir., No. 17-303, 11/21/17 ).

Under BIPA, a company can’t collect biometric information unless it informs a person in writing that the information is being stored, informs the subject about “the specific purpose and length of term” of use, and receives express written authorization to use the information. BIPA includes a private right of action that allows individuals to file lawsuits and seek to represent classes of similarly affected individuals.

Face Scan

The case arose out of consumer claims that Take-Two Interactive—the maker of the NBA2K and Grand Theft Auto game series—failed to provide adequate notice and guidelines for collecting, storing, using, and permanently destroying consumer biometric information, such as image scans of a player’s face.

The trial court dismissed the suit with prejudice, holding that the plaintiffs failed to allege that the biometric information may be used in a way “not contemplated by the underlying use” of the game features. Simply alleging that Take-Two didn’t follow every procedural aspect of BIPA isn’t enough alone to establish standing to sue, the court said.

On appeal, plaintiffs argued that Take-Two collected and disclosed their biometric data without authorization.

However, the appeals court found that the company informed consumers that the video game’s feature required a face scan, which would be “visible to other players during online gameplay.” The appeals court concluded that the disclosure was sufficient to meet BIPA’s mandates.

The appeals court affirmed the trial court’s dismissal of the case for lack of standing, but disagreed with the lower court’s ruling that the plaintiffs weren’t “aggrieved parties.” The appeals court therefore remanded the case with instructions to again dismiss, but this time without prejudice to allow the plaintiffs to refile.

Take-Two declined Bloomberg Law’s phone calls requesting comment on the ruling.

Carey Rodriguez Milian Gonya LLP represented the plaintiffs. Irell & Manella LLP represented Take-Two.

To contact the reporter on this story: Jimmy H. Koo in Washington at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The order is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security