On Wednesday, August 19, 2020, Facebook received preliminary approval from a federal court to settle a lawsuit claiming it collected and stored biometric data without users’ consent. Judge James Donato of the U.S. District Court for the Northern District of California issued an eight-page order granting the preliminary approval after Facebook and the plaintiffs reached a revised agreement to address the court’s earlier concerns—including increasing the settlement amount by $100 million to $650 million. The final approval hearing in the case is currently scheduled for January 7, 2021.
Biometric Claims Against Facebook
The claims against Facebook focused on its “Tag Suggestions” feature. This feature scanned photos that were already tagged and then used this data to offer suggested identification for individuals in newly-uploaded photos. The feature was intended to make it easier for users to tag others in photos, in turn, making those images easier to search and share. When Facebook launched the Tag Suggestions feature several years ago, however, it did not include a mechanism to collect consent from users before the software sought to identify their faces in uploaded photos. According to the plaintiffs, a group of Facebook users, Facebook’s failure to obtain users’ consent for scans related to the “Tag Suggestions” feature violated the Illinois Biometric Information Privacy Act (BIPA).
Biometric Data Privacy and the Illinois Law
The Illinois Biometric Information Privacy Act (BIPA) requires entities involved with biometric data to meet a number of requirements regarding the collection, storage, and use of that data. Among other requirements, BIPA mandates that companies collecting biometric information obtain the consent of those individuals whose information is collected.
Several states have similar privacy laws that set legal requirements for the collection and use of biometric data. Illinois’s law is unique, however, in creating a private right of action for plaintiffs. Illinois courts have held that plaintiffs do not need to show actual harm in order to prevail in a lawsuit under BIPA if they can show their rights were violated.
Though Facebook maintains that it did not violate BIPA, the company has nevertheless participated in settlement negotiations. Facebook initially offered a settlement of $550 million in January 2020; however, the offer was rejected by the court, as it would result in payments to plaintiffs that the judge deemed too low. The BIPA allows for damages to be paid to plaintiffs even in the absence of a showing of actual harm. Damages permitted by the BIPA typically range between $1,000 and $5,000 per aggrieved party, as set by the statute. Were Facebook to lose the lawsuit, the company could be required to pay $47 billion—the amount required to compensate each plaintiff $5,000, or the maximum damages amount that BIPA allows.
The Future of Biometric Data Cases
Social and political pushback against biometric data use and collection continues to mount. In response to increasing public skepticism about biometric technologies, companies like IBM, Microsoft, and Amazon have pledged to limit or deny law enforcement access to their technology. In a further step, a proposed federal bill would ban federal law enforcement from using facial recognition technology. The bill would also proposes withholding funding from state and local law enforcement agencies that continue to use facial recognition tools.
While some government bodies and some companies are adding greater protections for biometric data, others are expanding their use of such data. Devices like Apple’s iPhone offer facial recognition as a phone security tool—requiring the phone to recognize the user’s face in order to unlock.
As concerns about facial recognition and other forms of biometric data-gathering rise, more lawsuits are likely to be filed, invoking the Illinois BIPA and potentially other privacy laws. Many of these claims may require the assistance of experts familiar with how facial recognition algorithms work. Cybersecurity experts who can speak to questions of adequate security and privacy protections for stored or transmitted data may offer a valuable perspective in some cases as well.