In 2o15 and 2016, a rush of class-action lawsuits were filed by people in Illinois against tech companies. The impetus was an unusual law in the Prairie State. In 2008, the state passed the Illinois Biometric Information Privacy Act, making it, along with Texas, one of only two states at the time with laws on the books governing the use of biometric data. (Last year, Washington became a third.) The Illinois law included in its purview “faceprints,” which is what companies like Facebook and Google use to identity you in photos. They create faceprints by analyzing your face in the many tagged photos of you that have already been uploaded to their servers. Class-action lawsuits were filed against Google, Facebook, Snapchat, and Shutterfly alleging this practice violated biometric privacy laws because the companies did not acquire user consent to use their data. The law has proved a persistent thorn in tech companies’ sides ever since.
On Monday, a federal judge in San Francisco denied a request by Facebook to have one of these suits thrown out. The Northern District of California judge found that the plaintiffs had alleged concrete violations of their privacy rights.
“When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air,” Judge James Donato wrote in his ruling. “The precise harm the Illinois legislature sought to prevent is then realized.”
Facebook had tried to wriggle out of the lawsuit based on a Supreme Court standard established in another 2016 case involving search-engine operator Spokeo, which found that plaintiffs must prove “concrete injury” in privacy suits.
But Donato found that ruling didn’t invalidate Illinois law.
Separate suits were originally filed in Illinois and California, and consolidated into one. Donato had previously rejected another Facebook argument for tossing out the suit based on user agreements that require disputes to be resolved under the laws of California, where such a biometric privacy law does not exist.
The suit could have major implications for Facebook, and for Google, which is fighting similar claims in federal court in Chicago. (The Shutterfly suit was settled, and Snapchat’s sent to arbitration.)
Facebook could be on the hook for fines of up to $5,000 each time a person’s image is used without permission. And a court victory could lead to restrictions on Facebook’s use of biometrics in the U.S., similar to restrictions already in place in Europe and Canada.
The plaintiffs still have a uphill battle ahead, but its clear that the fight over Facebook’s use of biometric data is not going away any time soon.
Facebook did not respond to a request for comment on the ruling. The company’s general stance had been that its use of biometric data does not constitute any real injury or harm to users.
Donato disagreed, concluding that the case gets to the very heart of the kinds of privacy rights the Illinois legislature sought to protect.
“This injury is worlds away from the trivial harm of a mishandled zip code or credit card receipt,” he wrote.