Future of privacy: Lawsuit by Illinois residents focuses on Facebook facial-recognition technology

The case against Facebook under Illinois’ Biometric Information Privacy Act raises questions about the protection of people’s most personal data, as well as the possibility of an explosion of lawsuits against companies that use certain biotechnology.

Facebook is no stranger to controversy. While most recently, the social networking service has come under fire over allegations it discriminates against conservative viewpoints in its selection of “trending topics,” the company is also involved in a potentially more significant dispute over the privacy of users’ personal biometric data. A lawsuit against Facebook under an Illinois privacy law raises questions about the dangers and possibilities inherent in the increasing use of technology that identifies and stores data about people’s facial and physical likenesses.

It also reveals the best – and possibly worst – ways for states to protect their residents from the exploitation of this information.

A federal district court in California ruled May 5 that a class action lawsuit against Facebook for violations of Illinois’ biometric-information privacy law can proceed. The named plaintiffs in the lawsuit are three Illinois residents who allege Facebook has violated Illinois’ Biometric Information Privacy Act, or BIPA, through the use of photo “tag suggestions.” Through this feature, when a user posts a photo, Facebook makes suggestions as to who should be tagged using facial-recognition software that measures a person’s unique facial geometry (e.g., the distance between a person’s eyes, nose and ears).

Understanding Illinois law and the Facebook lawsuit

The Illinois General Assembly passed the BIPA in 2008 to regulate the collection, use and storage of biometric data by private entities. Illinois lawmakers were concerned that “[b]iometrics … are biologically unique to the individual … [and] once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” Moreover, lawmakers warned, “The full ramifications of biometric technology are not fully known.”

The BIPA includes as “biometric information” data based on a “biometric identifier” such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

Illinois’ BIPA makes it illegal for a private entity to obtain a person’s biometric identifier or information, unless the entity first informs the person in writing and discloses the specific purpose and length of time for which the data is being collected, stored or used. The entity must then obtain written consent from the person to use or store the biometric information.

The act further prohibits trading or making a profit from a person’s biometric information, and requires the party in possession of the data to protect the security of the information.

Under the BIPA, Illinoisans have the right to sue private parties for violations of the act and to collect $1,000 for each violation negligently committed, and the greater of $5,000 or actual damages for each violation recklessly or intentionally committed.

The plaintiffs in the lawsuit against Facebook have alleged the company violated Illinois’ BIPA by not properly informing the plaintiffs that Facebook was generating and storing their templates, or letting the plaintiffs know the purpose or amount of time for which the templates were being used and stored. They also deny having ever provided written releases to Facebook for these purposes.

To be clear, it has not yet been determined whether Facebook did in fact violate Illinois’ BIPA. But the court’s determination that Illinois, rather than California, law, will apply to the case and that the plaintiffs have stated an adequate basis under the BIPA for the case to proceed means the plaintiffs will have the chance to prove the substance of their claims against Facebook in court.

Biometric data use by Shutterfly, federal and state government

While the suit against Facebook has garnered significant media attention, a similar BIPA-related case was filed against the photo-sharing site Shutterfly Inc. in 2015, according to the Chicago Tribune. The plaintiff in Norberg v. Shutterfly alleged that Shutterfly allowed his photo to be tagged without his consent. The plaintiff’s attorney told the Tribune that “thousands, at a minimum” of Illinois residents have had their photos uploaded and tagged on Shutterfly without having joined the service – and therefore have grounds to sue Shutterfly under the BIPA. Although a federal district judge in Chicago ruled in January that this case could proceed, the parties settled in April.

Biometric information in the form of fingerprints has long been used in law enforcement. And concerns about terrorism prompted the enactment of the federal REAL ID Act, which requires state-issued driver’s licenses and ID cards to have enhanced security features by 2018 in order for residents to use them to board planes or access federal buildings or military facilities. Illinois Secretary of State Jesse White announced in May his office’s plans to issue driver’s licenses and state IDs that comply with the REAL ID Act through the use of facial-recognition technology. (Illinois’ BIPA expressly excludes state agency or local government personnel from the prohibitions contained in the act.)

Biometric data usage isn’t going to slow down anytime soon

While Facebook and Shutterfly are facing well-publicized challenges caused by their use of biometric technology, companies across a range of industries are considering or already using similar technology. For nearly three years, Apple Inc.’s iPhone has allowed users to employ fingerprint technology to unlock phones, and some financial institutions enable customers to conduct transactions online through such technology. Certain banks have also introduced fingerprint technology for use with ATMs.

Furthermore, the possibility now exists for retail stores to use facial-recognition technology to spot known shoplifters, as well as to identify and greet repeat customers with special deals, according to an article in the Washington Post. The article also notes that Microsoft has a patent for a billboard that uses facial-recognition technology to send targeted ads and product information to shoppers in stores.

On the health care front, developments include injectable, vision-correcting artificial lenses, which can collect and store information from the wearer and transmit that data to outside devices.

Biometric data and privacy concerns

Notwithstanding the promise of this biotechnology to enhance many aspects of life, serious concerns about privacy, security, the monitoring of citizens by government, and the sale of people’s personal, biologically derived data abound. As the Illinois General Assembly noted, although a person can change her Social Security number if it is stolen, she cannot easily alter her distinct facial geometry once that identifier falls into the wrong hands. Thus, other states will likely follow Illinois’ lead in passing laws to protect against the commercial use of residents’ biometric information.

While some other states have proposed measures to protect biometric data, Texas is now the only state besides Illinois to have passed a statute that regulates the commercial use and capture of biometric information. Each violation of Texas’ law carries a potential civil penalty of up to $25,000. In Texas, however, only the attorney general can file a lawsuit under the statute.

Maybe Texas is on to something. While protecting residents from the use and sale of their biometric information makes sense, the potential for the proliferation of lawsuits under Illinois’ BIPA is sobering. According to lawyers Torsten Kracht and Rachel Mossman in a Law360.com article, the plaintiff in one of the original Facebook lawsuits (before the case became a class-action suit) alleged there may be 7 million Facebook users in Illinois and that damages could total at least $7 billion. Facebook boasts more than 1 billion daily Facebook users worldwide as of March 2016. The company has more than 250 billion photos, and more than 300 million are uploaded every day. That makes Facebook an incredible storehouse of biometric information. And under the BIPA, it makes Facebook a potential gold mine for plaintiffs’ attorneys.

Is it in Illinoisans’ best interest for “enterprising plaintiffs lawyers” – as attorneys Derek Sarafa, Thomas Weber and A.J. Dixon describe them in another article on Law360.com – to develop a cottage industry of class-action litigation for BIPA violations? Will Illinois become the tech litigation capital of the nation, akin to Madison County, Illinois’ notoriety as an asbestos trial attorney’s paradise? Might that have a dampening effect on technological innovation that could ultimately benefit huge numbers of people worldwide? And wouldn’t it give tech firms – and many other companies – pause before they set up shop in Illinois?

While prohibiting the commercial collection and sale of biometric information may be prudent, Illinois policymakers should consider the ramifications of granting millions of people the right to sue private companies under the BIPA. As the Facebook case unfolds, the answers may be different than what the architects of the act expected.