Video games have come a long way. While nostalgic gamers still have a soft spot for classic games like Asteroids, modern gamers value next-generation graphics and gameplay. The creators of NBA 2K responded to this consumer demand, incorporating face-scan technology into its basketball game, thereby allowing gamers to actually see themselves in the game.
Though the “MyPlayer” feature was highly popular (and created the phenomenon of people posting “face-scan fail” videos), the game was challenged in the matter of Vigil v. Take-Two Interactive Software, Inc. Filed in New York federal court, plaintiffs alleged that the makers of NBA 2K had violated the Illinois Biometric Information Privacy Act (“BIPA”)’s disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data. Defendant moved to dismiss, and the court agreed, dismissing the case on Spokeo grounds upon determining that Plaintiffs failed to allege concrete harm.
The court described the MyPlayer feature, noting that it required gamers to go through a lengthy process by which cameras would scan the gamer’s face and head and thereafter create a digital avatar for use in the game. If a gamer used the avatar in multiplayer mode, third parties could see that particular gamer’s avatar. Before using the “MyPlayer” feature, gamers were required to agree to the following:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement.
Despite having agreed to these terms, plaintiffs alleged that defendant had not provided sufficient disclosures. In particular, plaintiffs alleged that in violation of BIPA, Take-Two: (1) failed to provide a data retention schedule; (2) did not provide written notice to plaintiffs that biometric identifiers would be collected, or the purpose and length of that collection; (3) collected biometric data without first obtaining a written release; (4) disclosed biometric identifiers without obtaining adequate consent; (5) failed to transmit biometric identifiers with reasonable care; and (6) unlawfully profited from plaintiffs’ biometric identifiers.
Defendant argued for dismissal based on Spokeo and an alleged failure to state a claim under BIPA. The court agreed that the mere procedural violations of BIPA did not give rise to Article III standing. The court observed that BIPA was intended to ensure that when individuals participate in a biometric-facilitated transaction, the private entity protects that biometric data and does not use that data in a way not contemplated by the underlying transaction. Plaintiffs did not allege facts to support standing, because they essentially alleged that the biometric information obtained by the MyPlayer feature was used precisely in the way the MyPlayer feature was intended to function.
More specifically, the court found the harm alleged entirely speculative, as the complaint lacked allegations that the biometric data was misused by third parties in any way. And to the extent third parties did have access to the scans—e.g. in multiplayer mode—such access was specifically granted by players. The court also rejected plaintiffs’ complaints about the alleged deficient notice provided by defendant, observing that BIPA’s notice requirements did not advance an interest independent of BIPA’s goal of preventing biometric data misuse. Accordingly, even without fully compliant notice and consent, “no BIPA interest can be harmed so long as the private entity only uses the biometrics collected as both parties intended.” The court also rejected plaintiffs’ allegations regarding defendant’s alleged unlawful profits from the biometric identifiers, as the complaint lacked allegations that defendant used their facial scans in advertising or otherwise sold the scans to third parties.
The court also ruled that plaintiffs had not stated a claim under BIPA, because a party only has standing where he or she has been “aggrieved by a violation” of BIPA. Here too, because the allegations established that plaintiffs agreed to the precise conduct undertaken by defendant, plaintiffs had not been aggrieved.
This case demonstrates how Spokeo can be used by defendants in cases where plaintiffs have alleged mere procedural violations divorced from any actual allegations of harm. Ultimately, the plaintiffs here voluntarily agreed to create their basketball avatar, and after having done so and enjoyed the benefits of that technology, alleged claims based on mere procedural violations of BIPA. Plaintiffs have since appealed, so the Second Circuit may weigh in, providing further guidance on these standing issues.