• by Wendy Davis  @wendyndavis, April 13, 2017

Two Chicago siblings are asking a federal appellate court to revive their class-action lawsuit accusing Take-Two Interactive Software of violating an Illinois privacy law by collecting faceprints of video game players.

Vanessa and Ricardo Vigil argue in papers filed this week that Take-Two's alleged violations of the Illinois Biometric Information Privacy Act caused the kind of concrete harm that justifies a lawsuit.

"Take-Two’s practices violate both the core object of [the biometric privacy law] and each of the statute’s procedural requirements, compromising and creating material risk of harm to the privacy of the Vigils and the putative class members," they say in a brief filed with the 2nd Circuit Court of Appeals.

The battle dates to October 2015, when the Vigils filed suit over the facial-scanning technology used in the game NBA 2K15. The Vigils alleged that game used their facial scans -- which were captured by the platform's camera -- in order to create avatars that resembled them.

The Vigils claimed in a class-action complaint that Take-Two violated the Illinois Biometric Information Privacy Act -- a 2008 law that requires companies to obtain written releases from people before collecting biometric data like “face geometry,” and obligates companies to notify people about biometric data collection and publish a schedule for destroying the information.

Take-Two argued that the case should be dismissed on the grounds that the Vigils didn't suffer any concrete injury as a result of any alleged violations of the Illinois law.

U.S. District Court Judge John Koeltl in New York agreed with the company.

"There is no allegation that Take-Two has disseminated or sold the plaintiffs’ biometric data to third parties, or that Take-Two has used the plaintiffs’ biometric information in any way not contemplated," Koeltl wrote in a ruling issued earlier this year.

He added that the Vigils agreed to the game's terms and conditions, and that the game's scanning feature worked as intended.

The Vigils said they were at an "enhanced risk of harm" in the future because their faceprints were now in Take-Two's possession. But Koeltl said that possibility was too speculative to warrant a lawsuit.

The consumers are now asking the 2nd Circuit to reverse that decision. Among other arguments, they say that they can proceed because the Illinois statute confers on residents a "concrete interest in maintaining privacy over this sensitive biometric data."

The argument over whether the Vigils allegedly suffered a "concrete" injury stems from the Supreme Court's 2016 decision in a separate lawsuit brought by Virginia resident Thomas Robins against online data aggregator Spokeo. Robins alleged in that matter that Spokeo violated the federal Fair Credit Reporting Act by displaying incorrect information about him.

The Supreme Court said last year Robins could only proceed with his case if he could prove that any errors resulted in a "concrete" injury.

Since that ruling came out, judges around the country have struggled to determine what kind of injury is "concrete." Rulings have been mixed, but some judges have said that consumers can still sue companies for allegedly violating laws regarding robocalling and robotexting.

The Vigils call attention in their new legal papers to those decisions. "If the receipt of an unsolicited phone call is invasive enough to constitute a concrete harm, then having one’s sensitive biological data taken without authorization surely is as well," they argue.

Take-Two is expected to file its response by next month.

Google and Facebook face separate lawsuit accusing them of also violating the Illinois biometrics privacy law.