On February 26, 2018, the United States District Court for the Northern District of California denied Facebook, Inc.’s motion to dismiss the plaintiffs’ consolidated class action complaint for failure to allege a concrete injury in fact under Federal Rule of Civil Procedure 12(b)(1). Plaintiffs alleged Facebook’s “Tag Suggestions” violated the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., by collecting users’ biometric data secretly and without consent. Facebooks’ Tag Suggestions program uses “state-of-the-art facial recognition technology” to create and store digital representations called “templates” of people’s faces based on the geometric relationship of an individual’s unique facial features, such as, “the distance between [a person’s] eyes, nose and ears.” The basis of the court’s review was whether the complaint’s allegations were insufficient on their face to invoke federal jurisdiction. Citing Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016) (“Spokeo I”), the court stated that an intangible harm, such as the violation of a procedural right granted by statute, can be sufficient in some circumstances to constitute injury in fact. The court extended this analysis to apply to state statutes based on Ninth Circuit case law. The dispositive inquiry, according to the court, was whether the statutory provisions were established to protect the plaintiffs’ concrete interest, and the specifically alleged procedural violations “actually harm or present a material risk of harm” to those interests. In summary fashion, the court concluded that BIPA codified a right of privacy in personal biometric information. According to the California court, BIPA vests Illinois residents with the “right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent.” The court held that abrogating the procedural rights mandated by BIPA necessarily amounts to a “concrete injury.” Based on this analysis, the court concluded that Facebook’s alleged disregard for Illinois’ notice and consent procedures under BIPA caused the precise harm the legislature sought to prevent—the right of an individual to maintain her biometric privacy. Facebook argued that collecting biometrics without notice or consent requires “real-world harms” to support Article III standing. The court disagreed relying on Spokeo I and Ninth Circuit cases that recognize violation of a statutory procedural right in itself can be a sufficient injury.