Stephanie N. Grimoldby Jul. 7, 2016, 11:14am

While technological privacy advocates cheered, a California federal judge this spring sent shockwaves through the tech world and many other industries, determining an Illinois law that has spawned a wave of litigation already could be applied to businesses based virtually anywhere, so long as they did business in Illinois. 

In May, U.S. District Judge James Donato said Facebook would need to fight off a class action lawsuit brought under the Illinois Biometric Information Privacy Act, even though the Menlo Park, Calif.-based social media giant had succeeded in transferring the case from Chicago to San Francisco federal court. 

quka /

Facebook could be responsible for millions in damages if it loses the case, which was filed by three Illinois residents who alleged the social media company had “secretly amassed the world’s largest privately held database of consumer biometrics data” through its facial recognition technology, including its Tag Suggestions tool, which relies on face templates to help users identify their friends and family in photographs. 

While the case has a long way to go, decisions made along the way could greatly impact companies, whether or not they actually have a physical presence in Illinois. 

Thinking broadly

The Internet Association, a political lobbying organization that represents nearly 40 Internet companies, has seen a growing class action bar that has filed suit against its member companies for violations of privacy statutes. 

In the Facebook lawsuit, it’s a concerning precedent that Illinois and its BIPA will be applied under a choice of law clause, said an Internet Association spokesperson, particularly because many Internet Association member companies are headquartered in California, and it is common practice for users to sign an agreement stating they agree to be governed by California law. 

There is record evidence that the plaintiffs clicked on the Facebook user agreement to be governed by California law – something Judge Donato noted in his ruling. 

Still, Donato felt applying the BIPA was necessary. 

“If California law is applied, the Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with ‘major national corporations’ like Facebook, would be written out of existence,” he wrote in his ruling. “Illinois will suffer a complete negation of its biometric privacy protections for its citizens if California law is applied. In contrast, California law and policy will suffer little, if anything at all, if BIPA is applied.” 

Whether Facebook’s facial recognition technology actually violates BIPA – which defines biometrics, or biologically unique identifiers, as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” - has not yet been determined. 

But a broader question that should be asked of this case – and in all similar class actions – is whether the plaintiffs must show concrete injury to recover statutory damages, the Internet Association spokesperson said. 

The Internet Association weighed in on the recent U.S. Supreme Court ruling in Spokeo v. Robins, in which Spokeo – which brands itself as the “people search engine” - was accused of violating the federal Fair Credit Reporting Act when it published false, albeit, positive, information about a man. In that case, the Supreme Court determined plaintiffs must show some evidence of concrete harm to have standing to sue. 

“In our brief, we explained that Internet companies are ‘frequently targeted by opportunistic lawsuits,’ like the one in Spokeo, under various statutes with a private right of action, including the FCRA and the Telephone Consumer Protection Act,” the Internet Association wrote in a blog post. “In these cases, the alleged harm is ‘a bare statutory’ violation and not a ‘concrete, actual harm.’ We called on the Supreme Court to course correct on this issue since our member companies frequently have to settle these lawsuits despite a lack of concrete harm to the plaintiffs involved.” 

Specific to the Facebook case, the plaintiffs alleged the company violated BIPA by not properly informing the plaintiffs that their biometric data was being collected and stored through Facebook’s facial recognition software and Tag Suggestions; by not properly detailing the purpose for or length of time the data would be collected, stored or used; by not providing a timetable of when the data would be destroyed; and by failing to receive written permission from the plaintiffs to collect, use or store the data in the first place. 

But it will be interesting to see if the Spokeo ruling is followed in the Facebook case – if there is no harm resulting in the use of the facial recognition technology, things could take a different turn. 

Some fear that a plaintiff’s win in the Facebook case could spell disaster for any business that uses biometrics – regardless if they’re headquartered in Illinois. 

Plaintiffs’ lawyers have used Illinois’ venue laws – which govern whether a lawsuit can be heard in a particular county, state or federal jurisdiction – to bring huge numbers of asbestos-related litigation in such venues as downstate Madison County. 

Donato’s ruling that even cases heard outside of Illinois should follow Illinois law could create another large litigation field for enterprising attorneys looking to sue under BIPA. 

Better to beg for forgiveness than ask for permission?

The battle over biometrics usage may come down to this: Privacy advocates believe companies should ask before obtaining such sensitive information, while businesses say, “I don’t think so,” said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, a California nonprofit digital rights group. 

Perhaps the underlying problem isn’t so much that biometric information is collected and stored, but that in so doing, it becomes liable to attack. 

“If someone is trying to hurt us, whether it’s through some kind of fraud or identity theft or stalking us, we can change all sorts of identifiers - we can change our Social Security number; in extreme cases, you can even change your name - but you can’t change your face,” Schwartz said. 

Further complicating the matter is the lack of black-and-white clarity surrounding questions of privacy. For one, different generations have different notions of privacy; millennials who grew up with social media tend to be more open than their parents and grandparents. And not everyone believes heavy regulation is best. 

“Our members believe that users should be able to make their own privacy decisions,” said Abigail Slater, vice president of legal and regulatory policy at the Internet Association. “They provide this choice to users by offering robust and often granular privacy settings on their platforms." 

For its part, a Facebook spokesperson said the company always has been upfront about how tagging works. It posted an original note in 2010 that explained facial recognition was used in the new tool. 

“If we were really trying to hide it, we wouldn’t have written the note,” the spokesperson said, adding that users have the option to control their photo tagging settings. “We really feel we’re empowering people to make the decision that’s best for them.” 

The plaintiffs in the Facebook class action allege the company’s explanation of Tag Suggestions are “on remote sections of its website,” so the outcome of this case could also set precedent for how visible companies must make their biometrics information to consumers. 

As litigation swirls on these and other related questions, Christopher Dore, an attorney with Edelson PC in Chicago, which is representing the plaintiffs in the Facebook case, said there is a bottom line for businesses operating in Illinois. 

“When you make the decision to start collecting or processing sensitive data, triple check that you’re following the rules,” said Dore. “For biometric information, that’s of tenfold importance.” 

Transparency is key

Schwartz noted Facebook does not utilize its facial recognition system in Canada and the European Union because those countries were concerned it would violate privacy laws. Users can manually tag people in photos, but no tag suggestions are made based on face templates. 

“There are laws in those countries similar to the ones in Illinois that protect consumers’ privacy,” Schwartz said. “And Facebook did not fall.” 

Gautam Hans, policy counsel at the Center for Democracy and Technology-San Francisco, said he wasn’t against the use of biometrics, but transparency and clarity were essential. Current issues seem to stem from information asymmetry, where one party knows more about something than another party. 

“Oftentimes… you give your information to a company, and you don’t know what happens to it …” he says. “It needs to be clear to a consumer what is being collected, why it’s being collected, who it’s going to be shared with and how long it will be stored, in part because of the indubitability of the information … Only with that level of understanding can people make really informed choices.”

More News