By Ben L. Culpepper


Few social media users know exactly how much of their data is collected when the user engages with a social media app.[1] Social media apps such as Facebook and Instagram constantly collect private information from their users, including what posts spark a user’s interaction, what a user’s browsing history looks like, what a user’s purchase history consists of, and even a user’s facial data.[2] According to this Forbes article,[3] “64 percent of business owners collect your data from their social media sites, with Facebook accounting for 72 percent of the data collection, while Facebook-owned Instagram came in second at 59 percent.” With so much data being collected, and with consumers seemingly unable to avoid data collection if a consumer wishes to engage in social media, it can be challenging to identify an available remedy for consumers who wish to keep their personal data private.

Iowa introduced the Biometric Information Privacy Act (BIPA) in 2008 to give consumers a viable means of regulating what data of theirs can be collected.[4] BIPA gives consumers a private cause of action against an entity that collects a consumer’s private data, such as fingerprint scans, iris scans, and facial and voice recognition ID, without the entity receiving permission to do so from the consumer.[5] It is only one of two states who currently allow for a private cause of action against entities collecting data without a user’s permission.[6] What is also interesting about the statute, however, is that it gives consumers a remedy for a mere statutory violation, regardless of whether or not the consumer experienced any concrete harm.[7] Therefore, theoretically a consumer who properly alleges a violation of BIPA could recover injunctive or monetary relief without needing to prove concrete harm, a traditional element of Article III standing.

Article III standing, as articulated in Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), requires an injury in fact for a potential plaintiff to be eligible to move forward with their suit.[8] Injury in fact, a threshold standing matter, requires an injury to a plaintiff to be both particularized and concrete.[9] Particularized can be satisfied rather easily; the plaintiff just needs to prove the harm happened to them in a personal and individual way, and it was not a harm against the general public such as a tax.[10] Concrete requires a few more steps. A plaintiff, in order to satisfy the concrete element, must prove that some harm actually exists and has or will likely occur to a plaintiff.[11] In Spokeo, Robins sued Spokeo, Inc. for violating the Fair Credit Reporting Act.[12] However, Spokeo, Inc. did not slander or talk negatively about Robins in Robins credit report, but in fact misrepresented him as a good and successful man.[13] The Supreme Court held that plaintiff, Robins, likely did not satisfy the concrete element of injury in fact because no actual harm occurred to him.[14]

The future of Iowa’s BIPA is not so certain under a Spokeo analysis. BIPA provides for recovery without needing to prove any concrete harm in contradiction to the Spokeo analysis.[15] In light of this, the 7th Circuit has not granted plaintiffs standing for a mere statutory violation of BIPA without plaintiffs alleging concrete harm.[16] The 7th Circuit in Thornley echoed much of the same language we saw in Spokeo, ultimately concluding that “[plaintiffs] do not [have standing]: they have described only a general, regulatory violation, not something that is particularized to them and concrete.”[17] Iowa citizens attempting to protect their biometric data under BIPA will not have an easy road proving standing if they wish to recover in federal courts.

Federal courts aside, Iowa citizens are still able to vindicate their claims in state court. The problem arises when a defendant removes the matter to federal court from state court, and then seeks a Rule 12(b)(6) motion to dismiss the case. With the standing hurdle in place, Iowa’s attempt to protect its citizens’ biometric data may be thwarted in federal court under the Spokeo standing requirements, making the road to recovery and protecting biometric data more uncertain for plaintiffs.


[1] See Lesley Fair, FTC’s $5 billion Facebook settlement: Record-breaking and history-making, Fed. Trade Comm. (Jul. 24, 2019),

[2] Anthony Cuthbertson, Instagram is “Most Invasive App,” New Study Shows, Independent (Mar. 18, 2021),; Sarah Perez, TikTok Just Gave Itself Permission to Collect Biometric Data on US Users, Including Faceprints and Voiceprints, TechCrunch (Jun. 3, 2021),

[3] Peter Suciu, Business Owners Increasingly Rely on Social Media to Gather Customer Data, Forbes (Dec. 21, 2021),

[4] Christopher Ward & Kelsey C. Boehm, Developments in Biometric Information Privacy Laws, Foley & Lardner LLP (June 17, 2021),

[5] Brian Humke, Unforgettable: Why Biometrics Policies Matter, Nyemaster Goode PC (Mar. 26, 2019),

[6] Ward, supra note 4.

[7] Christopher Ward & Aaron R. Wegrzyn, BIPA in Review: Recapping the Seventh Circuit’s Article III Standing Decisions, Foley & Lardner LLP (Jan. 21, 2021), [hereinafter BIPA in Review],

[8] Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).

[9] Id.

[10] Id.

[11] Id. at 340.

[12] Id. at 330.

[13] Id.

[14] Id. at 343.

[15] BIPA in Review, supra note 7.

[16] Thornley v. Clearview AI, Inc., 983 F.3d. 1241, 1242 (7th Cir. 2021).

[17] Id. at 1248.

Image source: