OPINION AND ORDER
JOHN G. KOELTL, District Judge:
The advent of new technologies in the field of biometrics — the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas — has produced new ways of conducting commercial transactions. In 2008, to promote, regulate, and safeguard the use of biometrics in financial transactions, Illinois enacted the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. (the "BIPA"), which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.
The defendant, Take-Two Interactive Software, Inc. ("Take-Two"), is one such private entity that collects biometric data for use in its video games, "NBA 2K15" and "NBA 2K16." The plaintiffs, Vanessa Vigil and Ricardo Vigil, have brought this putative class action pursuant to the Class Action Fairness Act, 28 U.S.C. § 1332(d). More specifically, Ricardo Vigil bought and played NBA 2K15, and his sister Vanessa Vigil played his copy of that video game. The plaintiffs used a feature in the video game to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play. Although the plaintiffs do not contend that their face scans have been disseminated, or used for any purpose, other than for playing the video game, for which they gave consent, the plaintiffs contend that Take-Two failed to comply with various provisions of the BIPA.
On January 15, 2016, Take-Two moved pursuant to Rule 12(b)(1), and Rule 12(b)(6), of the Federal Rules of Civil Procedure to dismiss the plaintiffs' claims. Subsequently, the Supreme Court issued Spokeo, Inc. v. Robins, ___ U.S. ___, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), which clarified that for an injury-in-fact to be "concrete," it must be "real, and not abstract," and that a "bare procedural violation" under a federal statute, "divorced from any concrete harm," that "may result in no harm," would not "satisfy the injury-in-fact requirement." Id. at 1549 (internal quotation marks omitted). By Order dated July 1, 2016, this Court ruled that the plaintiffs should be allowed to replead in light of Spokeo, and denied without prejudice to renewal Take-Two's pending motion to dismiss. See Dkt. 42. The plaintiffs filed their Second Amended Complaint, and Take-Two renewed its motion.
The parties subsequently submitted supplemental letters concerning the impact of Strubel v. Comenity Bank, 842 F.3d 181 (2d Cir. 2016), which interpreted Spokeo.
For the following reasons, Take-Two's motion to dismiss the Second Amended Complaint is granted.1
I.
When presented with a motion to dismiss under Federal Rule of Civil Procedure 12(b)(1) for lack of subject matter jurisdiction, and a motion to dismiss on other grounds, the first issue is whether the Court has the subject matter jurisdiction necessary to consider the merits of the action. See Rhulen Agency, Inc. v. Alabama Ins. Guar. Ass'n, 896 F.2d 674, 678 (2d Cir. 1990).
In defending against a motion to dismiss for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, the plaintiff bears the burden of proving the Court's jurisdiction by a preponderance of the evidence. Makarova v. United States, 201 F.3d 110, 113 (2d Cir. 2000). In considering such a motion, the Court generally must accept the material factual allegations in the complaint as true. See J.S. ex rel. N.S. v. Attica Cent. Schs., 386 F.3d 107, 110 (2d Cir. 2004). The Court does not, however, draw all reasonable inferences in the plaintiff's favor. Id.; see also Graubart v. Jazz Images, Inc., No. 02-CV-4645 (KMK), 2006 WL 1140724, at *2 (S.D.N.Y. Apr. 27, 2006). Indeed, where jurisdictional facts are disputed, the Court has the power and the obligation to consider matters outside the pleadings, such as affidavits, documents, and testimony, to determine whether jurisdiction exists. See Anglo-Iberia Underwriting Mgmt. Co. v. P.T. Jamsostek, 600 F.3d 171, 175 (2d Cir. 2010); APWU v. Potter, 343 F.3d 619, 627 (2d Cir. 2003); Kamen v. Am. Tel. & Tel. Co., 791 F.2d 1006, 1011 (2d Cir. 1986). In so doing, the Court is guided by the body of decisional law that has developed under Rule 56 of the Federal Rules of Civil Procedure. Kamen, 791 F.2d at 1011; see also Aguilar v. Immigration & Customs Enf't Div. of the U.S. Dep't of Homeland Sec., 811 F.Supp.2d 803, 821-22 (S.D.N.Y. 2011).
In deciding a motion to dismiss pursuant to Rule 12(b)(6), the allegations in the complaint are accepted as true, and all reasonable inferences must be drawn in the plaintiff's favor. McCarthy v. Dun & Bradstreet Corp., 482 F.3d 184, 191 (2d Cir. 2007). The Court's function on a motion to dismiss is "not to weigh the evidence that might be presented at a trial but merely to determine whether the complaint itself is legally sufficient." Goldman v. Belden, 754 F.2d 1059, 1067 (2d Cir. 1985). The Court should not dismiss the complaint if the plaintiff has stated "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). While the Court should construe the factual allegations in the light most favorable to the plaintiff, "the tenet that a court must accept as true all of the allegations contained in the complaint is inapplicable to legal conclusions." Id.
When presented with a motion to dismiss pursuant to Rule 12(b)(6), the Court may consider documents that are referenced in the complaint, documents that the plaintiff relied on in bringing suit and that are either in the plaintiff's possession or that the plaintiff knew of when bringing suit, or matters of which judicial notice may be taken. See Chambers v. Time Warner, Inc., 282 F.3d 147, 153 (2d Cir. 2002).
II.
Illinois enacted the BIPA in 2008. The legislative findings accompanying the BIPA explain that the BIPA was passed, in part, because the Illinois legislature anticipated that commercial businesses would increasingly use biometric data, such as fingerprints, to facilitate financial transactions. 740 Ill. Comp. Stat. 14/5(a-b). As the Illinois legislature observed, biometric data are by definition unique, and thus — unlike a credit card number — cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from "partaking in biometric identifier-facilitated transactions" in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature's judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual's biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a-g).
Under the BIPA, a "biometric identifier" is "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry," while "biometric information" is information based on "biometric identifiers." 740 Ill. Comp. Stat. 14/10. Among other things, the BIPA includes a number of provisions to regulate the collection, dissemination, and storage of biometric identifiers and biometric information. First, Section 15(a) provides that:
A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.
See 740 Ill. Comp. Stat. 14/15(a). Second, the BIPA requires private entities to "store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry," and to treat such identifiers and information as sensitive and confidential. 740 Ill. Comp. Stat. 14/15(e).
Third, Section 15(b) provides that a private entity that collects biometric identifiers or biometric information must (1) inform the subject in writing that a biometric identifier, or biometric information, is being collected; (2) inform the subject in writing of the purpose and length of the collection and storage; and (3) receive a written release from the subject. 740 Ill. Comp. Stat. 14/15(b). Fourth, Section 15(c) prohibits private entities from selling biometric identifiers and biometric information to third-parties. 740 Ill. Comp. Stat. 14/15(c). Finally, and relatedly, Section 15(d) prohibits private entities from disseminating biometric identifiers and biometric information without prior written consent, or unless such dissemination is necessary to complete a financial transaction authorized by the subject. 740 Ill. Comp. Stat. 14/15(d).
The BIPA provides that "any person aggrieved by a violation" of the BIPA may pursue money damages and injunctive relief against the offending party.2 See 740 Ill. Comp. Stat. 14/20. The BIPA also provides for attorney's fees to be awarded to the prevailing party. See id.
III.
A.
Take-Two is a Delaware corporation, with its headquarters and principal place of business located in New York, New York, that publishes, develops, and distributes video games. SAC ¶¶ 1, 9. Among numerous other video games, Take-Two publishes, develops, and distributes the popular video games "NBA 2K15" and "NBA 2K16" (collectively, the "NBA 2K Games") that are playable on personal computers and other gaming platforms. SAC ¶ 1. The NBA 2K Games are basketball simulation video games that allow a gamer to play as, and against, virtual basketball players, many of whom are designed based upon real professional players from the National Basketball Association. SAC ¶ 27. A gamer can play the NBA 2K Games in multiplayer mode with other gamers over the Internet. See, e.g., SAC ¶ 36.
The NBA 2K Games include the "MyPlayer" feature, which allows a gamer to create a "personalized basketball avatar" based upon a three-dimensional rendition of the gamer's face. SAC ¶¶ 27, 29. To create the avatar, the NBA 2K Games use cameras connected to the gaming platform to scan the gamer's face and head. SAC ¶ 29. The scanning is a lengthy and involved process that takes about 15 minutes, during which time the gamer must stare up-close at the camera while also turning his or her head from side-to-side at regular intervals. SAC ¶ 29.
The plaintiffs allege that Take-Two's proprietary technology extracts geometric data from the scan related to the unique points and contours of the gamer's face, and converts that data into a personally identifying animated rendition of the gamer's face. SAC ¶¶ 29-31. The rendition then becomes the face of the gamer's personalized basketball avatar for in-game play. SAC ¶ 29. The MyPlayer feature's only alleged purpose is to create personalized basketball avatars. See SAC ¶ 27.
If a gamer wishes to use the MyPlayer feature, the gamer must first agree to the following terms and conditions:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement.
www.take2games.com/eula
See SAC ¶ 28.3 Third-party gamers can view the rendition if the gamer choses to play with the personalized basketball avatar in multiplayer mode. See SAC ¶ 35. There is no requirement that a gamer who uses the MyPlayer feature be an actual purchaser or owner of an NBA 2K Game. See SAC ¶ 40.
The plaintiffs allege that Take-Two indefinitely stores the biometric information it collects through the face scans on its servers. SAC ¶ 28. They also allege that Take-Two transmits unencrypted biometric information through the "open commercial Internet." SAC ¶ 35. The plaintiffs further allege that Take-Two markets and advertises the MyPlayer feature. SAC ¶ 36.
B.
The plaintiffs, Ricardo Vigil and Vanessa Vigil, are siblings, and are alleged to be residents and citizens of Illinois. SAC ¶¶ 7-8, 39-40. The Second Amended Complaint alleges that Ricardo Vigil is the purchaser and owner of a copy of NBA 2K15, and that Vanessa Vigil played her brother's copy of the game. SAC ¶¶ 39-40.
The plaintiffs allege that they each used the MyPlayer feature to scan their faces to create their own personalized basketball avatars. SAC ¶ 41. Prior to the scanning, the plaintiffs allege that they each agreed to the MyPlayer terms and conditions described above. SAC ¶ 41. The plaintiffs allege that they subsequently chose to enter a multiplayer game with their personalized basketball avatars, meaning that the digital renditions of their faces, which the plaintiffs claim constitute biometric information under the BIPA, were visible to third-parties also playing NBA 2K15. SAC ¶ 45. The Second Amended Complaint contains no allegations regarding the quality of the plaintiffs' personalized basketball avatars, such as the degree to which the digitized faces of the plaintiffs' avatars resembled the plaintiffs.
Even though the plaintiffs agreed to the MyPlayer terms and conditions, the plaintiffs allege that they failed to appreciate the gravity associated with using MyPlayer — especially that renditions of their face scans would be allegedly indefinitely stored on Take-Two's servers, transmitted over the commercial Internet, and subject to allegedly inadequate protections — because they did not receive adequate written disclosures from Take-Two. See SAC ¶¶ 42-52. The plaintiffs allege that they have both "become weary" of participating in biometric-facilitated transactions, and have since refrained from participating in such transactions due to their experience with NBA 2K15. SAC ¶ 61.
The Second Amended Complaint alleges that Ricardo Vigil's purchase of NBA 2K15 was motivated in material part by his desire to use the MyPlayer feature, but that he did not at the time of the purchase understand Take-Two's alleged practices with respect to biometric information. SAC ¶¶ 53-55. The Second Amended Complaint alleges that, "After purchasing and opening the packaging on the NBA 2K15 video game, Plaintiff Ricardo Vigil had no option to return the video game for a monetary refund," and that he has therefore suffered tangible, monetary harm. SAC ¶ 55.
There is no allegation that the plaintiffs did not realize that their own faces were unique identifiers prior to using the MyPlayer feature. There is no allegation that the plaintiffs did not understand that the only purpose of the MyPlayer feature was to create a personalized basketball avatar for in-game play, including in multiplayer mode. And there is no allegation that the plaintiffs' face scans have been disseminated in any form other than to the gamers who played in multiplayer games with the plaintiffs.4
The plaintiffs claim that Take-Two has violated the BIPA in almost every respect. First, the plaintiffs claim that Take-Two did not publicly provide a retention schedule or guidelines for permanently destroying biometric identifiers in violation of Section 15(a). SAC ¶¶ 38, 75. Second, they claim that Take-Two failed to inform the plaintiffs properly in writing that their biometric identifiers would be collected, and failed to explain the purpose and length of that collection, in violation of Section 15(b). SAC ¶¶ 32-33, 73. Third, the plaintiffs claim that Take-Two collected biometric information without first obtaining a written release from the plaintiffs, also in violation of Section 15(b). SAC ¶¶ 34, 74. Fourth, the plaintiffs claim that Take-Two disclosed and disseminated their biometric identifiers without obtaining adequate consent in violation of Section 15(d). SAC ¶¶ 35, 76. Fifth, the plaintiffs claim that Take-Two failed to transmit their biometric identifiers with industry-standard reasonable care in violation of Section 15(e). SAC ¶¶ 35, 37, 77. Finally, the plaintiffs claim that Take-Two has profited from the plaintiffs' biometric identifiers in violation of Section 15(c). SAC ¶¶ 36, 57, 78.
The plaintiffs seek money damages, injunctive relief, and reasonable attorney's fees. SAC ¶¶ 79-80.
IV.
The plaintiffs have compiled a long list of purported technical violations of the BIPA. In an effort to create standing to pursue their claims for these technical violations, the plaintiffs try several different alleged theories of harm, variously arguing that they have suffered from the procedural violations themselves (including from "informational injuries" and the enhanced risk of harm that their face scans will be subject to a data breach); apprehension about engaging in future biometric-facilitated transactions; misappropriation; intrusion on seclusion; and a diminished benefit-of-the-bargain associated with purchasing NBA 2K15.
Take-Two has moved to dismiss the Second Amended Complaint for two reasons. First, pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure, Take-Two argues that the plaintiffs do not have Article III standing to pursue their claims under the Constitution. Second, pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure, Take-Two argues that the plaintiffs do not have a cause of action under the BIPA.5
A.
Article III of the United States Constitution limits the jurisdiction of federal courts to "Cases" and "Controversies." Lujan v. Defenders of Wildlife, 504 U.S. 555, 559, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992). To satisfy the requirements of Article III standing, a plaintiff must show that (1) the plaintiff has suffered an actual or imminent injury in fact, which is concrete and particularized; (2) there is a causal connection between the injury and defendant's actions; and (3) it is likely that a favorable decision in the case will redress the injury. Id. at 560-61, 112 S.Ct. 2130. "The party invoking federal jurisdiction bears the burden of establishing these elements." Id. at 561, 112 S.Ct. 2130; see also Springer v. U.S. Bank Nat'l Ass'n, No. 15-CV-1107(JGK), 2015 WL 9462083, at *3 (S.D.N.Y. Dec. 23, 2015). In a class action, a court must analyze the injuries allegedly suffered by the named plaintiffs, not unnamed members of the potential class, to determine whether the plaintiffs have Article III standing. Warth v. Seldin, 422 U.S. 490, 502, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975).
A legally protected interest may exist solely by virtue of "statutes creating legal rights, the invasion of which creates standing." Id. at 500, 129 S.Ct. 1142. However, the injury-in-fact requirement "is a hard floor of Article III jurisdiction that cannot be removed by statute." Summers v. Earth Island Inst., 555 U.S. 488, 497, 129 S.Ct. 1142, 173 L.Ed.2d 1 (2009).
"An allegation of future injury may suffice if the threatened injury is `certainly impending,' or there is a `substantial risk' that the harm will occur." Susan B. Anthony List v. Driehaus, ___ U.S. ___, 134 S.Ct. 2334, 2341, 189 L.Ed.2d 246 (2014) (quoting Clapper v. Amnesty Int'l USA, 568 U.S. 398, 133 S.Ct. 1138, 1150 n.5, 185 L.Ed.2d 264 (2013)). The Supreme Court in Spokeo, Inc. v. Robins, ___ U.S. ___, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016), recently clarified that "[f]or an injury to be `particularized,' it `must affect the plaintiff in a personal and individual way,'" id. at 1548 (quoting Lujan, 504 U.S. at 560, 112 S.Ct. 2130 n.1), while for an injury to be "concrete," it must be "real, and not abstract," id. at 1548 (internal quotation marks omitted). The Court instructed that the determination of whether a violation of a statute constitutes a concrete injury-in-fact is aided by reference to congressional intent and the common law. Id. However, Spokeo held that although "Congress may `elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate in law,'" id. at 1549 (quoting Lujan, 504 U.S. at 578, 112 S.Ct. 2130), a "bare procedural violation" under a federal statute, "divorced from any concrete harm," that "may result in no harm," would not "satisfy the injury-in-fact requirement." Id.
In the context of the Fair Credit Reporting Act (the "FCRA") — which requires consumer reporting agencies to "`follow reasonable procedures to assure maximum possible accuracy of' consumer reports," and "to notify providers and users of consumer information of their responsibilities under the [FCRA]," and gives an injured individual a private right of action for an agency's willful failure to comply with the FCRA, see id. at 1545 (citations omitted) — the Supreme Court in Spokeo observed that an agency that merely disseminated a deficient statutory notice, or inaccurate information that was not materially inaccurate, absent more, would have only committed "bare procedural violations" of the FCRA that would not give rise to a concrete injury, see id. at 1550.6
The Court of Appeals for the Second Circuit in Strubel v. Comenity Bank, 842 F.3d 181 (2d Cir. 2016), interpreted "Spokeo, and the cases cited therein, to instruct that an alleged procedural violation can by itself manifest concrete injury where Congress conferred the procedural right to protect a plaintiff's concrete interests and where the procedural violation presents a `risk of real harm' to that concrete interest. But even where Congress has accorded procedural rights to protect a concrete interest, a plaintiff may fail to demonstrate concrete injury where violation of the procedure at issue presents no material risk of harm to that underlying interest." Id. at 190 (citation omitted). In Strubel, a consumer claimed that a bank's allegedly deficient disclosures violated the Truth in Lending Act (the "TILA"), and entitled the consumer to seek statutory damages under the TILA. See id. at 185-87. The Court of Appeals began its assessment of the consumer's standing by analyzing the concrete interests protected by the TILA. See id. at 189-90 ("[T]o determine whether a procedural violation manifests injury in fact, a court properly considers whether Congress conferred the procedural right in order to protect an individual's concrete interests."). The court observed that the goals of the TILA's disclosure requirements are to "protect consumers against inaccurate and unfair credit billing and credit card practices and promote the informed use of credit by assuring a meaningful disclosure of credit terms." Id. at 187 (citation and internal quotation marks omitted). In other words, these were the concrete interests that the TILA's mandatory disclosure requirements were designed to protect. See id.
The Court of Appeals concluded that the consumer had standing to pursue only some of her claims of TILA violations. The court found that the consumer had standing to pursue claims related to notice violations that could actually hinder the exercise of her prospective rights as a consumer, without any allegations of additional harm, because those violations could frustrate a "core object of the TILA" of "avoiding the uninformed use of credit." Id. at 192 (citation and internal quotation marks omitted). As the court observed, "A consumer who is not given notice of his obligations is likely not to satisfy them and, thereby, unwittingly to lose the very credit rights that the law affords him." Id.
By contrast, the Court of Appeals found that a claim based upon the failure to present clearly certain information in the notice about the bank's prospective obligations to the consumer — but that could not plausibly obscure prospective rights that the consumer could exercise — would be too abstract to support standing because no actual harm resulted, and, even if a risk of harm had materialized, the bank could have still complied with its obligations under the TILA despite the deficient notice about its obligations. See id. at 194 ("It would be more than curious to conclude that a consumer sustains real injury to concrete TILA interests simply from a creditor's failure to advise of a reporting obligation that, in the end, the creditor honors."). There was no real material risk that the goals of the TILA would be frustrated by these statutory violations. See id. at 193-94. While not dispositive, the Court of Appeals also noted that the consumer had not alleged that she (or, more generally, any consumer) would have changed her behavior to avoid any adverse consequences from the deficient notice, which further weighed against a finding of standing. Id. at 193. In addition, the Court of Appeals found that the bank's failure to notify the consumer about a credit product that the bank did not offer could not support standing. Id. at 192.
Also instructive is a recent decision of the United States District Court for the Northern District of Illinois in McCollough v. Smarte Carte, Inc., No. 16 CV 03777, 2016 WL 4077108 (N.D. Ill. Aug. 1, 2016), which denied standing to a plaintiff for alleged violations of the BIPA. In that case, the defendant provided for rent a fingerprint-coded locker that used the plaintiff's fingerprint as the "key" to lock and unlock the locker. See id. at *1. The plaintiff claimed that the defendant had violated multiple provisions of the BIPA. See id. Specifically, the plaintiff alleged that the defendant collected and indefinitely retained fingerprint data without publishing any destruction guidelines. See id. at *1-2. The plaintiff also alleged that the defendant failed to give any notice, or receive any written consent acknowledging, that the defendant was collecting or using biometric identifiers. Id. at *1. The court dismissed the plaintiff's claims of bare procedural and technical violations of the BIPA for want of Article III standing, reasoning that the plaintiff "undoubtedly understood when she first used the system that her fingerprint data would have to be retained until she retrieved her belongings from the locker." Id. at *3. As the court held, "Even without prior written consent to retain, if [the defendant] did indeed retain the fingerprint data beyond the rental period, this Court finds it difficult to imagine, without more, how this retention could work a concrete harm." Id. at *4 (citing Gubala v. Time Warner Cable, Inc., No. 15-CV-1078-PP, 2016 WL 3390415, at *4 (E.D. Wis. June 17, 2016), aff'd, No. 16-2613, 846 F.3d 909, 2017 WL 243343 (7th Cir. Jan. 20, 2017)); see also Gubala v. Time Warner Cable, Inc., No. 16-2613, 846 F.3d 909, 910-13, 2017 WL 243343, at *1-4 (7th Cir. Jan. 20, 2017) (dismissing for lack of Article III standing claims for alleged violations of the Cable Communications Policy Act (the "CCPA"), a data protection statute analogous to the BIPA); Braitberg v. Charter Commc'ns, Inc., 836 F.3d 925, 930 (8th Cir. 2016).7
(i)
The plaintiffs argue that the purported procedural violations of the BIPA, without any allegations of additional harm, are sufficient to confer standing. The plaintiffs' allegations of procedural violations fall into two interconnected categories: violation of the provisions regulating the storage and dissemination of biometric information, see 740 Ill. Comp. Stat. 14/15(a), (b), (c), (e), and violation of the provisions governing notice and consent, see 740 Ill. Comp. Stat. 14/15(a), (b), (d).
Under Strubel, to assess the plaintiffs' standing to pursue their claims, the first task is to identify any "concrete interests" protected by the BIPA. The plaintiffs contend that an individual's right to privacy in the individual's biometrics is the concrete interest protected by the BIPA. Cf. In re Facebook Biometric Info. Privacy Litig., 185 F.Supp.3d 1155, 1169 (N.D. Cal. 2016) (reasoning that, for conflict of laws purposes, the "BIPA manifests Illinois' substantial policy of protecting its citizens' right to privacy in their personal biometric data").8 Put more finely, "[t]he core object," Strubel, 842 F.3d at 191, of the BIPA is data protection to curb potential misuse of biometric information collected by private entities. The provisions of the BIPA plainly seek to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual's biometric data, and does not use that data in a way not contemplated by the underlying transaction. The BIPA expressly contemplates the use of biometric information for the transactions contemplated by the parties. See also 740 Ill. Comp. Stat. 14/10(d)(2) (permitting "disclosure or redisclosure" of biometrics that "completes the financial transaction").
None of the plaintiffs' allegations of procedural violations, on their own, demonstrate a material risk of harm to the BIPA's concrete data protection interest because there is no plausible allegation that there is a material risk that the plaintiffs' biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature. The plaintiffs allege that they agreed to the MyPlayer terms and conditions, that NBA 2K15 scanned their faces to create personalized basketball avatars, and that the plaintiffs used their personalized basketball avatars for in-game play. The plaintiffs thus allege that the MyPlayer feature functioned exactly as anticipated. There is no allegation that Take-Two has disseminated or sold the plaintiffs' biometric data to third-parties, or that Take-Two has used the plaintiffs' biometric information in any way not contemplated by the only possible use of the MyPlayer feature: the creation of personalized basketball avatars for in-game play. See Boelter v. Hearst Commc'ns, Inc., 192 F.Supp.3d 427, 437-38, 2016 WL 3369541, at *3 (S.D.N.Y. 2016) (holding that the plaintiffs had standing to pursue claims for alleged violations of the Michigan Video Rental Privacy Act where the defendant-company, without permission, sold personal data to third-parties, including data mining companies). The purported violations of the BIPA are, at best, marginal, and the plaintiffs lack standing to pursue their claims for the alleged bare procedural violations of the BIPA.
(a)
With respect to the purported violations of the BIPA's storage and dissemination provisions, the plaintiffs fail to establish that there is an imminent risk of harm that Take-Two's storage and dissemination of their facial scans could compromise the data protection interest of the BIPA. The plaintiffs primarily predicate their standing argument on Take-Two's alleged failure to store and transmit their facial scans with a reasonable degree of industry-standard care, and in a manner used for other types of confidential and sensitive information, in violation of Section 15(e) of the BIPA.
In Strubel, the Court of Appeals cited the decision of the Court of Appeals for the Eighth Circuit in Braitberg, 836 F.3d at 929-30, which held "that [the] unlawful retention of personal information did not manifest concrete injury absent alleged disclosure or misuse," Strubel, 842 F.3d at 194 n. 15, and the decision of the Court of Appeals for the Sixth Circuit in Galaria v. Nationwide Mut. Ins. Co., 663 Fed.Appx. 384, 388-89, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (summary order), which held that the "failure to adopt statutorily mandated procedures to protect against wrongful dissemination of data manifested concrete injury where plaintiffs alleged data was stolen." Strubel, 842 F.3d at 194 at n. 15. This case is plainly more analogous to Braitberg than Galaria. The plaintiffs' allegations do not establish an imminent risk that their biometrics could actually be misused, and there has been no event, such as the data theft in Galaria, that could make any such risk rise above the abstract level. See also Gubala, 846 F.3d at 910-11, 2017 WL 243343, at *1 ("[The plaintiff] has presented neither allegation nor evidence of having been `aggrieved' by [the defendant's] violation of [the CCPA] — no allegation or evidence that in the decade since he subscribed to [the defendant's] residential services any of the personal information that he supplied to the company when he subscribed had leaked and caused financial or other injury to him or had even been at risk of being leaked.").
At best, the plaintiffs' allegations are that Take-Two's storage and dissemination practices have subjected their facial scans to an "enhanced risk of harm" of somehow falling into the "wrong hands," which is too abstract and speculative to support standing. See McCollough, 2016 WL 4077108, at *4; see also, e.g., Nat'l Council of La Raza v. Gonzales, 468 F.Supp.2d 429, 444 (E.D.N.Y. 2007) ("[S]peculation that ... some unauthorized party may access plaintiffs' [information stored in a database] in violation of a plaintiff members' privacy right does not satisfy the requirement that plaintiffs identify an `actual or imminent,' `concrete and particularized' injury."); Gubala, 846 F.3d at 910-12, 913, 2017 WL 243343, at *1-2, *4; Braitberg, 836 F.3d at 930; Chambliss v. Carefirst, Inc, 189 F.Supp.3d 564, 568 (D. Md. 2016) (dismissing claims for failure to protect personal data in compliance with the Maryland Personal Information Protection Act for want of standing); see also Clapper, 133 S.Ct. at 1150 (expressing "our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors"). Indeed, the plaintiffs do not allege that their face scans have been obtained by a third-party, subjected to identity theft, or misused in any way.
The plaintiffs attempt to circumvent the speculative and abstract nature of their claims by arguing that the potential risk of harm associated with the face scans could be potentially great because faces are relatively immutable, and, unlike (for example) passwords, cannot be changed. But the hypothetical magnitude of a highly speculative and abstract injury that is not certainly impending does not make the injury any less speculative and abstract. See Clapper, 133 S.Ct. at 1147-1148; Summers, 555 U.S. at 497, 129 S.Ct. 1142 ("[T]he injury-in-fact requirement is a hard floor of Article III jurisdiction that cannot be removed by statute.").
The plaintiffs also argue that Take-Two violated Section 15(c) of the BIPA by somehow "profiting" from the plaintiffs' facial scans when the plaintiffs played NBA 2K15 with their personalized basketball avatars in multiplayer mode. The plaintiffs' theory appears to be that Take-Two advertises the MyPlayer feature, which encourages individuals to purchase NBA 2K15 games.9 The allegations are insufficient for standing because they do not establish that the plaintiffs suffered any actual or imminent harm as a result of Take-Two's advertising practices. The plaintiffs allege that Take-Two has advertised the MyPlayer feature; they do not allege that Take-Two has used their facial scans to promote or advertise NBA 2K15, or that Take-Two has otherwise profited from their facial scans by, for example, selling the scans to third-parties.
(b)
With respect to the purported violations of the notice and consent provisions, the plaintiffs claim that the notice and consent that they received was insufficient because the MyPlayer feature terms and conditions did not specifically disclose that their faces constituted biometrics, the purpose of the scanning, or the length of the face scan retention period; because the plaintiffs' consent to use the MyPlayer feature was not embodied in a writing; and because Take-Two did not publish a biometric retention schedule. These violations can only support standing if they pose a material risk of harm to the data protection goal of the BIPA. At best, more extensive notice and consent could have dissuaded the plaintiffs from using the MyPlayer feature, meaning that Take-Two would have never collected the plaintiffs' biometrics. But the plaintiffs have failed to establish that their use of the MyPlayer feature resulted in any imminent risk that the data protection goal of the BIPA would be frustrated. Consequently, more extensive notice and consent could not have altered the standing equation because there has been no material risk of harm to a concrete BIPA interest that more extensive notice and consent would have avoided.
The plaintiffs argue that the alleged notice and consent violations harmed their "right-to-information" about the underlying biometric transaction, which the plaintiffs contend should be sufficient in-of-itself to confer standing without any allegations of additional harm. The purported right-to-information about a biometric-facilitated transaction is not a concrete interest separate from the core object of the BIPA to prevent biometric data misuse. The alleged failure to give the plaintiffs more extensive notice and consent is not a material risk to a concrete BIPA interest where no material risk of biometric data misuse ever materialized. See Spokeo, 136 S.Ct. at 1549; McCollough, 2016 WL 4077108, at *3-4.
Contrary to the plaintiffs' arguments, the BIPA is not akin to a statute where the right-to-information is a concrete interest in-of-itself, such as a statute designed to give a consumer information about prospective statutory rights that the consumer could exercise, but that might otherwise be lost, see Strubel, 842 F.3d at 191-92 (discussing the TILA); a statute designed to provide information about government activities, see FEC v. Akins, 524 U.S. 11, 21, 118 S.Ct. 1777, 141 L.Ed.2d 10 (1998) (the Federal Election Campaign Act); Pub. Citizen v. Dep't of Justice, 491 U.S. 440, 449-50, 109 S.Ct. 2558, 105 L.Ed.2d 377 (1989) (the Federal Advisory Committee Act); or a statute designed to remedy housing discrimination by ensuring that all individuals, including protected classes, receive truthful information about housing availabilities, see Havens Realty Corp. v. Coleman, 455 U.S. 363, 374, 102 S.Ct. 1114, 71 L.Ed.2d 214 (1982) (the Fair Housing Act).
Unlike statutes where the provision of information about statutory rights, or matters of public concern, is an end itself, the BIPA's notice and consent provisions do not create a separate interest in the right-to-information, but instead operate in support of the data protection goal of the statute. Section 15(a) requires that private entities publish retention and destruction schedules for biometric data. However, a private entity may destroy biometrics pursuant to the requirements set forth in Section 15(a), and thus effectively comply with the core data protection goal of the BIPA while also technically violating the BIPA by failing to publish a retention schedule. See Strubel, 842 F.3d at 194 ("It would be more than curious to conclude that a consumer sustains real injury to concrete TILA interests simply from a creditor's failure to advise of a reporting obligation that, in the end, the creditor honors.").
The BIPA's mandated disclosures are minimal. Section 15(b) of the BIPA simply provides that a notice must "inform[] the subject ... in writing that a biometric identifier or biometric information is being collected or stored," that the notice must include the length and purpose of that collection, and that consent must be in writing. The BIPA's disclosure and consent requirements are plainly designed to allow parties to set the contours for the permissible uses of the biometrics collected in the underlying biometric-facilitated transaction to ensure that the data collected is used only for the fulfillment of the transaction in question. Once biometric data is collected by a private entity, there is no further prospective BIPA right that the individual can exercise — and thus that the individual could be advised about at the outset — other than to expand the scope of the underlying transaction pursuant to Section 15(d). See Strubel, 842 F.3d at 194 (finding that disclosures that did not hinder the exercise of prospective rights that the consumer could exercise weighed against a finding of standing). Even without fully compliant notice and consent, no concrete BIPA interest can be harmed so long as the private entity only uses the biometrics collected as both parties intended. See McCollough, 2016 WL 4077108, at *3.
In arguing that bare violations of the notice and consent provisions alone can support standing, the plaintiffs are essentially attempting to bootstrap two sets of bare procedural violations — the alleged procedurally deficient notice and consent that failed to warn the plaintiffs about the later procedural violations of the BIPA with respect to storage and dissemination — without establishing a material risk to a concrete interest protected by the BIPA. But "in the absence of a connection between a procedural violation and a concrete interest, a bare violation of the former does not manifest injury in fact." Strubel, 842 F.3d at 189. The only concrete interest protected by the BIPA is biometric data protection. Because the plaintiffs have failed to establish a material risk to that interest, the plaintiffs' claims of violations of the notice and consent provisions of the BIPA must be dismissed for want of standing.
Moreover, the difference between the actual notice and consent in this case, and that purportedly required by the BIPA, does not rise to more than a procedural violation, which is plainly insufficient for standing under Spokeo and Strubel. There is no plausible allegation that, based on the notice the plaintiffs received, the plaintiffs did not understand that their faces would be scanned, and that those face scans would be used to create personalized basketball avatars. The plaintiffs allege that they received advance notice that their faces would be scanned, that they consented to have their faces scanned when they agreed to the MyPlayer terms and conditions, and that Take-Two used the face scans to create personalized basketball avatars. Ricardo Vigil allegedly bought NBA 2K15 so that the plaintiffs could use the MyPlayer feature for its only alleged purpose, the creation of personalized basketball avatars. The plaintiffs further allege that they appreciated that the digitized renditions of their faces would appear onscreen in multiplayer mode over the Internet. The allegations establish that the plaintiffs understood the purpose of using the MyPlayer feature, and there is no allegation that Take-Two has strayed from that purpose.
Although the MyPlayer terms and conditions explicitly referenced "face scans," SAC ¶ 28, the plaintiffs claim that they did not understand that their "face scans" were unique "biometric identifiers" as defined by the BIPA. To the extent that informing a "subject" in a notice about a "face scan" (a type of biometric identifier), as opposed to using the specific words "biometric identifier" (a statutory term of art), is in fact a violation of the BIPA, the alleged violation is merely a procedural violation, and poses no real risk of harm to a BIPA interest. The allegations show that the plaintiffs, at the very least, understood that Take-Two had to collect data based upon their faces in order to create the personalized basketball avatars, and that a derivative of the data would be stored in the resulting digital faces of those avatars so long as those avatars existed. See McCollough, 2016 WL 4077108, at *1 n.1, *3 (finding that it would be inconceivable that a plaintiff would not understand that a locker that used a fingerprint to lock-and-unlock the locker would not collect and store fingerprint data).
The gravamen of the plaintiffs' right-to-information theory is thus necessarily that, even though the plaintiffs understood the purpose of the face scans, the plaintiffs did not adequately understand that Take-Two had a duty under the BIPA to destroy their biometric data within a prescribed time period. Although Take-Two failed to disclose the length of the retention, the allegedly indefinite retention does not on its own pose an imminent risk of harm to any concrete BIPA interest. See Gubala, 846 F.3d at 910-12, 2017 WL 243343, at *1-2; Braitberg, 836 F.3d at 929-30; McCollough, 2016 WL 4077108, at *3-4. Moreover, Take-Two may ultimately destroy the biometric data in compliance with Section 15(a) of the BIPA. Thus, the technical violations of the BIPA may result in no harm to the plaintiffs despite the notice deficiency, which cannot support standing. See Strubel, 842 F.3d at 194 (citing Spokeo, 136 S.Ct. at 1550).
In addition, the plaintiffs do not claim that they would have foregone use of the MyPlayer feature if they had received more extensive notice and consent. The Second Amended Complaint only alleges that, had Ricardo Vigil known that Take-Two was not complying with the BIPA, he would not have purchased NBA 2K15. But even that allegation of buyer's remorse is not plausible given the allegation that both plaintiffs used the MyPlayer feature, and that any failure to comply with the BIPA presented no risk of an imminent or concrete injury to either of the plaintiffs. See Strubel, 842 F.3d at 193-94.
Accordingly, the plaintiffs' claims for procedural violations of the notice and consent provisions of the BIPA are not in-of-themselves sufficient to confer standing.
(ii)
The plaintiffs advance several theories of additional harm in an effort to manufacture an injury-in-fact, but these theories are divorced from any alleged violations of the BIPA. None of the theories is sufficient for standing purposes.
First, the plaintiffs claim that, as a result of their experiences with NBA 2K15, they have become reluctant to enter into future biometric-facilitated transactions. The plaintiffs have suffered no injury-in-fact as a result of Take-Two's alleged violations of the BIPA, and "cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Clapper, 133 S.Ct. at 1151; see also Katz v. Pershing, LLC, 672 F.3d 64, 79 (1st Cir. 2012) ("When an individual alleges that her injury is having to take or forebear from some action, that choice must be premised on a reasonably impending threat."). The plaintiffs' alleged apprehension that a hypothetical private entity may, in an unrelated biometric-facilitated transaction, violate the BIPA, is too speculative and abstract to support standing.
Second, the plaintiffs argue that Take-Two has misappropriated their facial scans to their detriment, and thereby invaded their privacy. They further contend that the BIPA represents an extension of Illinois common law privacy protections to biometrics.
Under Illinois law, to state an "appropriation claim," a plaintiff must allege "an appropriation, without consent, of one's name or likeness for another's use or benefit.... This branch of the privacy doctrine is designed to protect a person from having his name or image used for commercial purposes without consent." Dwyer v. Am. Exp. Co., 273 Ill.App.3d 742, 210 Ill.Dec. 375, 652 N.E.2d 1351, 1355 (1995) (citations omitted) (emphasis added). The plaintiffs' creative theory of misappropriation is incompatible with the claims in the Second Amended Complaint because the plaintiffs allege that they agreed to have their faces scanned, and displayed on personalized basketball avatars.
Moreover, while the plaintiffs argue that the plaintiffs' facial scans must have value to Take-Two, any value to Take-Two is irrelevant so long as Take-Two takes no action that diminishes the value of the plaintiffs' likenesses. See id. ("Undeniably, each cardholder's name is valuable to defendants.... [But] defendants' practices do not deprive any of the cardholders of any value their individual names may possess."). There is no allegation that Take-Two has taken any action that would diminish the value of the plaintiffs' likenesses, and thus no allegations that could support an injury-in-fact for misappropriation. See, e.g., Gubala, 846 F.3d at 912, 2017 WL 243343, at *3 (noting that "[v]iolations of rights of privacy are actionable, but ... there is no indication of any violation of the plaintiff's privacy because there is no indication that [the defendant] has released, or allowed anyone to disseminate, any of the plaintiff's personal information in the [the defendant's] possession" and characterizing the claim that the mere unlawful retention of personal information diminished the value of that information as "gibberish"); Braitberg, 836 F.3d at 930 ("Although there is a common law tradition of lawsuits for invasion of privacy, the retention of information lawfully obtained, without further disclosure, traditionally has not provided the basis for a lawsuit in American courts."). The plaintiffs' theory of misappropriation is inapplicable to this case.
Third, in their most recent submission, the plaintiffs contend that the real gravamen of their complaint is that, although they consented to have their faces scanned, they did not explicitly consent to have their biometric identifiers scanned and retained. The plaintiffs claim that this is a violation of their right to "biometric privacy." The plaintiffs argue that, because they gave consent in response to a procedurally deficient notice, their consent was ineffective.
The plaintiffs' theory of a violation of a right to biometric privacy is simply the latest variant on two already rejected theories of harm: misappropriation and injury to a purported BIPA "right-to-information" interest. There is no basis for this claimed injury. See Kamal v. J. Crew Grp., Inc., No. 2:15-0190 (WJM), 2016 WL 6133827, at *4 (D.N.J. Oct. 20, 2016) (noting that while a statute "as a whole may implicate traditional privacy interests, Plaintiff's alleged injury" that the defendants were disclosing information in violation of the statute was insufficient to establish standing).
Again, Illinois common law is instructive. Illinois has adopted the Second Restatement of Tort's definition of intrusion on seclusion, meaning, "One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person." Lawlor v. N. Am. Corp. of Ill., 368 Ill.Dec. 1, 983 N.E.2d 414, 424 (2012) (quoting Restatement (Second) of Torts § 652B (1977)). "The core of this tort is the offensive prying into the private domain of another.... The examples provided [by Prosser and Keeton's treatise on torts] as forming the basis for the tort of intrusion into the seclusion of another include the following acts: invading someone's home; an illegal search of someone's shopping bag in a store; eavesdropping by wiretapping; peering into the windows of a private home; and persistent and unwanted telephone calls." Lovgren v. Citizens First Nat. Bank of Princeton, 126 Ill.2d 411, 128 Ill.Dec. 542, 534 N.E.2d 987, 989 (1989) (citation omitted). Intrusion on seclusion is therefore analogous to tortious or criminal trespass. See id.; Benitez v. KFC Nat. Mgmt. Co., 305 Ill.App.3d 1027, 239 Ill.Dec. 705, 714 N.E.2d 1002, 1007 (1999). The sine qua non of an intrusion is that it is unauthorized. See Schmidt v. Ameritech Ill., 329 Ill.App.3d 1020, 263 Ill.Dec. 543, 768 N.E.2d 303, 312 (2002). Nevertheless, at common law, not every unlawful or unauthorized collection of information, or collection of information for an improper purpose, gave rise to an intrusion on seclusion. See, e.g., Dwyer, 210 Ill.Dec. 375, 652 N.E.2d at 1351, 1354 (affirming dismissal of intrusion on seclusion claim against a credit-card company that compiled and sold customer data to third-parties because the customers had voluntarily given such information to the company, even though the company gave no notice to its customers regarding the complained-of activities, which allegedly violated consumer protection laws).
The plaintiffs argue that the BIPA created a substantive right to privacy in biometric identifiers, but there is nothing in the statute to support the assertion. The BIPA created procedural safeguards so that consumers could enter into transactions using biometric identifiers without having those identifiers misused. The plaintiffs do not allege that their biometric identifiers have been used for anything other than for in-game play in NBA 2K15, a use for which the plaintiffs expressly consented. The plaintiffs' allegations are thus not akin to a violation of the common law tort of intrusion on seclusion, which involves an unauthorized intrusion.
Regardless of whether the plaintiffs understood the ins-and-outs of the face scanning technology, or knew that their faces were "biometric identifiers" under the BIPA, the plaintiffs plainly understood that the MyPlayer feature had to collect data based upon their unique faces to create the personalized basketball avatars. See McCollough, 2016 WL 4077108, at *3. Contrary to the plaintiffs' argument, a merely procedurally deficient notice does not automatically invalidate any resulting consent, and thus give rise to an Article III injury based on an invasion of privacy. See id.; Nokchan v. Lyft, Inc., No. 15-CV-03008-JCS, 2016 WL 5815287, at *6 (N.D. Cal. Oct. 5, 2016) (rejecting the claim "that the authorization [the plaintiff] gave [the defendant] to obtain his personal information was not proper" under the FCRA could support an injury for invasion of privacy); see also Gubala, 846 F.3d at 913, 2017 WL 243343, at *3 ("[The defendant] did not take the plaintiff's personal information away from him; he still has it ...; he hasn't been deprived of anything; and he isn't asking [the defendant] to return his personal information in its files to him; he is asking it to comply with the [CCPA] by destroying the information, an act that if committed is unlikely to have the least effect on him."); Braitberg, 836 F.3d at 930.
This case is nothing like the cases upon which the plaintiffs rely, such as Matera v. Google Inc., No. 15-CV-04062-LHK, 2016 WL 5339806 (N.D. Cal. Sept. 23, 2016). In that case, the court found that the plaintiffs had standing where the defendant had allegedly "intercept[ed], scan[ed], and analyz[ed]... email[s] ... without the plaintiffs' knowledge or consent" in violation of wire-tap and other privacy statutes. Id. at *1, *10-14. The plaintiffs' artful resort to a theory of intrusion on seclusion, or privacy, cannot save their claims.10
Finally, the plaintiffs argue that Ricardo Vigil suffered a tangible economic harm because he purchased NBA 2K15, in part, due to the presence of the MyPlayer feature, and has since wanted to return the game for a refund in light of Take-Two's alleged failure to comply with the BIPA. The implication is that, had Ricardo Vigil known that Take-Two would allegedly violate the BIPA, he would never have purchased the game. The plaintiffs' argument rests on a diminished "benefit-of-the-bargain" theory of liability — that Take-Two's alleged procedural violations diminished the value of the transaction for Ricardo Vigil.
The plaintiffs' argument is an odd fit with their claims that Take-Two violated the statutory provisions of the BIPA, and essentially crams a breach of contract, or unjust enrichment, theory of liability into a complaint that includes no breach of contract or unjust enrichment claims. See Rivera v. Wyeth-Ayerst Labs., 283 F.3d 315, 320-21 (5th Cir. 2002) (noting that "[t]he plaintiffs apparently believe that if they keep oscillating between tort and contract law claims, they can obscure the fact that they have asserted no concrete injury" and rejecting as "artful pleading" the plaintiffs' "attempt to recast their product liability claim in the language of contract law").
The plaintiffs' theory of harm is attenuated from any alleged procedural violations of the BIPA, which have caused Ricardo Vigil no concrete harm in the first place. In data storage and collection cases, courts have consistently rejected as too tenuous to support an injury-in-fact claims that a defendant's failure to comply with the law, or to prevent an actual data breach, diminished the "benefit-of-the-bargain." See, e.g., Braitberg, 836 F.3d at 931 ("Nor are we convinced that [the plaintiff] has alleged an economic injury arising from an alleged diminution of the value of the cable services that he purchased from [the defendant].... [W]ithout a plausible allegation that [the defendant's] mere retention of the information caused any concrete and particularized harm to the value of that information, [the plaintiff] has not adequately alleged that there was any effect on the value of the services that he purchased from [the defendant]."); Chambliss, 189 F.Supp.3d at 572-73; In re Zappos.com, Inc., 108 F.Supp.3d 949, 962 n.5 (D. Nev. 2015); In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 30 (D.D.C. 2014); Duqum v. Scottrade, Inc., No. 4:15-CV-1537-SPM, 2016 WL 3683001, at *6 (E.D. Mo. July 12, 2016). Ricardo Vigil received the benefit of the bargain with Take-Two, a copy of NBA 2K15 with a MyPlayer feature. The Second Amended Complaint fails to allege any way in which Take-Two's alleged procedural violations of the BIPA — which otherwise caused Ricardo Vigil no Article III injury — diminished the value of that bargain.
Furthermore, compliance with the laws is ordinarily not presumed to be part of a contractual bargain absent an express or implied agreement. See, e.g., Banco del Austro, S.A. v. Wells Fargo Bank, N.A., No. 16-CV-00628 (LAK), 215 F.Supp.3d 302, 304-05, 2016 WL 6084082, at *2 (S.D.N.Y. Oct. 18, 2016); Stewart v. Gino's E. Rest. Corp., No. 07C6340, 2008 WL 4865882, at *3 (N.D. Ill. July 8, 2008). The Second Amended Complaint has not alleged that Take-Two promised Ricardo Vigil that it would comply with the BIPA when he purchased NBA 2K15, let alone that Ricardo Vigil purchased NBA 2K15 with that expectation. As such, the Second Amended Complaint has not plausibly alleged that compliance with the BIPA was part of the bargain between Take-Two and Ricardo Vigil, meaning that any noncompliance with the BIPA by Take-Two could not have plausibly diminished the value of the bargain for Ricardo Vigil.
The plaintiffs cannot aggregate multiple bare procedural violations to create standing where no injury-in-fact otherwise exists. Accordingly, the plaintiffs do not have Article III standing to pursue their claims against Take-Two.
B.
Independent of Article III standing, Take-Two argues that the plaintiffs do not have a cause of action under the BIPA. The BIPA grants a private right of action to "any person aggrieved by a violation" of the BIPA. 740 Ill. Comp. Stat. 14/20. Take-Two interprets "aggrieved" as limiting the private of action to parties that have been injured by a statutory violation. Take-Two therefore contends that, for the reasons discussed above, the plaintiffs have failed to allege an injury that could support a cause of action under the BIPA.
As with the Article III standing inquiry, the McCollough decision is instructive, and supports Take-Two's interpretation of the BIPA. The court in McCollough, 2016 WL 4077108, at *4, concluded that the term "aggrieved" in the BIPA requires a plaintiff to establish an injury due to a statutory violation, and held that the plaintiff there, in addition to lacking Article III standing, also did not have a cause of action under the BIPA. To arrive at that conclusion, the court analyzed the use of "aggrieved" within the broader Illinois statutory landscape:
The [BIPA] does not define "aggrieved." Other Illinois statutes, however, do define "aggrieved party." Under the Illinois Human Rights Act, for example, it means "a person who is alleged or proved to have been injured by a civil rights violation or believes he or she will be injured by a civil rights violation...." 775 ILCS 5/1-103(B). Under the Soil and Water Conservation District Acts an aggrieved party "means any person whose property resources, interest or responsibility is being injured or impeded in value or utility or any other manner by the adverse effects of sediment caused by soil erosion...." 70 ILCS 405/3.20. These definitions each invoke the concept of injury resulting from a statutory violation. Thus, it appears that by limiting the right to sue to persons aggrieved by a violation of the act, the Illinois legislature intended to include only persons having suffered an injury from a violation as "aggrieved."
Id. The court also noted that the interpretation of "aggrieved" as meaning that a plaintiff must establish "an injury" was consistent with Black's Law Dictionary's definition of an "aggrieved party," which is "[a] party entitled to a remedy; esp., a party whose personal, pecuniary, or property rights have been adversely affected by another person's actions or by a court's decree or judgment." Id. (citation omitted).
The court's analysis in McCollough is persuasive. Significantly, other Illinois statutes do not contain similar limiting language. For example, the "Customer Service and Privacy Protection" of Illinois' Cable and Video Customer Protection Law provides that "[a]ny customer ... may pursue alleged violations of this Act by the cable or video provider in a court of competent jurisdiction." 220 Ill. Comp. Stat. 5/22-501 (emphasis added). The difference strongly suggests that the inclusion of "aggrieved" in an Illinois statute limits a private right of action to a party that can link an injury to a statutory violation.
The plaintiffs oppose this interpretation and argue at length that "aggrieved" means only that a plaintiff must come within a statute's zone-of-interest, but the cases that the plaintiffs cite lead to the inference that, under Illinois law, "aggrieved" means that a plaintiff must link a statutory harm to an injury to have a cause of action.11 See, e.g., Am. Sur. Co. v. Jones, 384 Ill. 222, 51 N.E.2d 122, 125-26 (1943) (under Illinois law, a statute that gives an "aggrieved" party a right to seek judicial review of an administrative decision means that the party must have "a direct, immediate and substantial interest rather than a speculative, theoretical, inconsequential or remote interest" in the matter); Glos v. People, 259 Ill. 332, 102 N.E. 763, 766 (1913) ("A person is prejudiced or aggrieved, in the legal sense, when a legal right is invaded by the act complained of or his pecuniary interest is directly affected by the decree or judgment.... `Aggrieved' means having a substantial grievance; a denial of some personal or property right.").
The plaintiffs cite Mandziara v. Canulli, 299 Ill.App.3d 593, 233 Ill.Dec. 484, 701 N.E.2d 127 (1998), which involved alleged violations of the Illinois Mental Health and Developmental Disabilities Confidentiality Act (the "MHA"). The MHA provides that, "No party ... nor his or her attorney, shall serve a subpoena seeking to obtain access to records or communications under this Act unless the subpoena is accompanied by a written order issued by a judge, authorizing the disclosure of the records or the issuance of the subpoena." Id., 233 Ill.Dec. 484, 701 N.E.2d at 131 (quoting 740 Ill. Comp. Stat. 110/10(d)). The MHA also provides that, "Any person aggrieved by a violation of this Act may sue for damages, an injunction, or other appropriate relief." Id. (quoting 740 Ill. Comp. Stat. 110/15)). The court in Mandziara held that the plaintiff there "ha[d] the right to sue a lawyer who obtained and served a subpoena for [the plaintiff's] records, which were then brought to a courtroom and used by a judge" in violation of the MHA. Id. at 129, 701 N.E.2d at 131. In that case, the defendant-lawyer claimed that he had not reviewed the mental health records himself, and thus that no harm to the plaintiff had occurred. See id. at 132, 701 N.E.2d at 131. The court found that the defendant-lawyer's claim was contradicted by the evidence, see id. but, regardless, observed that, "The [Illinois] General Assembly has made a strong statement about the importance of keeping mental health records confidential. If we were to hold [the defendant-lawyer] did not violate the [MHA] merely because he did not look at [the plaintiff's] records, we would be rewriting the statute, effectively eroding unmistakable legislative intent under the weight of judicial fiat." Id. at 133, 701 N.E.2d at 131.
The plaintiffs in this case seize on that language to argue that "aggrieved" does not require a plaintiff to establish an injury under Illinois law. The plaintiffs ignore that the court in Mandziara found that the plaintiff there had suffered an injury regardless of whether the defendant-lawyer had viewed the mental health records because the trial court had reviewed the mental health records in open court, and on the record, thus "improperly disclos[ing]" the plaintiff's confidential information in violation of the MHA. See id. Mandziara's interpretation of the MHA is consistent with the interpretation of the BIPA that an "aggrieved" party must link a statutory violation to an injury to have a cause of action.12
For the reasons already discussed, the plaintiffs have not established an injury attributable to an alleged procedural violation of the BIPA. Accordingly, the plaintiffs' claims must be dismissed.
V.
The plaintiffs have not asked for leave to amend the Second Amended Complaint. In any event, further amendment would be futile. See Foman v. Davis, 371 U.S. 178, 182, 83 S.Ct. 227, 9 L.Ed.2d 222 (1962); Mackensworth v. S.S. Am. Merch., 28 F.3d 246, 251 (2d Cir. 1994); see also Graham v. Select Portfolio Servicing, Inc., 156 F.Supp.3d 491, 516 (S.D.N.Y. 2016) ("Generally, the grant of leave to amend the pleadings pursuant to Rule 15(a) is within the discretion of the trial court." (citation and quotation marks omitted)). The plaintiffs have already amended their complaint twice, and there is no suggestion that further amendment would enable them to cure the deficiencies in the Second Amended Complaint. See Leyse v. Bank of Am., Nat. Ass'n, No. 09 CIV. 7654 (JGK), 2010 WL 2382400, at *6 n.3 (S.D.N.Y. June 14, 2010) (citing L-7 Designs, Inc. v. Old Navy, LLC, No. 09 CIV. 1432 (DC), 2010 WL 532160, at *3 (S.D.N.Y. Feb. 16, 2010)).
CONCLUSION
The Court has considered all of the arguments raised by the parties. To the extent not specifically addressed, the arguments are either moot or without merit. For the foregoing reasons, Take-Two's motion to dismiss the Second Amended Complaint is granted and the Second Amended Complaint is dismissed with prejudice.13 The Clerk is directed to enter judgment dismissing this action and closing the case. The Clerk is also directed to close all pending motions.
SO ORDERED.