Data Security Law Blog

Facebook Gears Up for High Stakes Biometric Trial

In one of the first major tests of the Illinois biometric data privacy law, Facebook is headed to trial this summer over allegations that the social media giant unlawfully collects user data with its photo tagging function. Last week, U.S. District Judge James Donato denied cross motions for summary judgment in a class action pending in Northern California, noting the “multitude of fact disputes in the case.”

The judge ruled that the case turns on whether Facebook collects and stores scans of “face geometry” on its users in violation of the Illinois Biometric Information Privacy Act (“BIPA”).

Plaintiffs’ case is based on Facebook’s “Tag Suggestion” tool – which allows users’ friends to “tag” them in pictures – and whether the facial recognition technology collects and maintains face geometry data without users’ consent. The parties have conflicting interpretations of how the face recognition and scanning technology processes work.

BIPA bars companies from collecting, capturing, purchasing, or obtaining biometric information without written consent. The fines under the Illinois law are stiff, ranging from $1,000 to $5,000 for each violation, which means that damages could reach into the billions if the class can prove that photos were scanned without consent.

Facebook has argued that plaintiffs must prove more than a violation of BIPA’s notice-and-consent provisions to maintain their case, claiming that plaintiffs must establish actual injury and not just a statutory violation. But Judge Donato has ruled that “BIPA does not require additional proof of individualize ‘actual’ harm . . . in addition to the privacy violation.” 

The court also rejected the argument that subjecting Facebook to the BIPA violates the dormant commerce clause because it processes facial recognition on servers outside Illinois. The dormant commerce clause generally applies when a state tries to regulate economic activity outside of its physical borders. But Judge Donato ruled that the facial recognition program does not occur “wholly outside” Illinois, as required by the dormant commerce clause. Rather, the matter involves conduct with respect to users in Illinois. 

A jury will now be left to decide whether Facebook’s technology collects and stores scans of face geometry. The class contends that the technology does, in fact, collect biometric data by using human facial regions to process, characterize, and ultimately recognize images of faces. Facebook argues that the technology is not dependent on facial features, but instead “learns for itself what distinguishes different faces and then improves itself based on its successes and failures, using unknown criteria that have yielded successful outputs in the past year.”

A similar BIPA case is currently pending against Google. Trial is set in the Facebook case for July 9, 2018 in San Francisco.