While technological privacy
advocates cheered, a California federal judge this spring sent shockwaves
through the tech world and many other industries, determining an Illinois law
that has spawned a wave of litigation already could be applied to businesses
based virtually anywhere, so long as they did business in Illinois.
In May, U.S. District Judge James Donato said Facebook would need to fight off a class
action lawsuit brought under the Illinois Biometric Information
Privacy Act, even though the Menlo Park, Calif.-based
social media giant had succeeded in transferring the case from Chicago to San
Francisco federal court.
Facebook could be responsible for millions in
damages if it loses the case, which was filed by three Illinois residents who
alleged the social media company had “secretly amassed the world’s largest
privately held database of consumer biometrics data” through its facial
recognition technology, including its Tag Suggestions tool, which relies on
face templates to help users identify their friends and family in photographs.
While the case has a long way to go, decisions
made along the way could greatly impact companies, whether or not they actually
have a physical presence in Illinois.
The Internet Association, a
political lobbying organization that represents nearly 40 Internet companies,
has seen a growing class action bar that has filed suit against its member
companies for violations of privacy statutes.
In the Facebook lawsuit, it’s a concerning
precedent that Illinois and its BIPA will be applied under a choice of law
clause, said an Internet Association spokesperson, particularly because many Internet
Association member companies are headquartered in California, and it is common
practice for users to sign an agreement stating they agree to be governed by
There is record evidence that the plaintiffs
clicked on the Facebook user agreement to be governed by California law –
something Judge Donato noted in his ruling.
Still, Donato felt applying the BIPA was
law is applied, the Illinois policy of protecting its citizens’ privacy
interests in their biometric data, especially in the context of dealing with ‘major
national corporations’ like Facebook, would be written out of existence,” he wrote
in his ruling. “Illinois will suffer a complete negation of its biometric
privacy protections for its citizens if California law is applied. In contrast,
California law and policy will suffer little, if anything at all, if BIPA is
Facebook’s facial recognition technology actually violates BIPA – which defines biometrics, or biologically unique identifiers, as “a retina or iris scan,
fingerprint, voiceprint, or scan of hand or face geometry” - has not yet been determined.
But a broader question that should
be asked of this case – and in all similar class actions – is whether the
plaintiffs must show concrete injury to recover statutory damages, the Internet
Association spokesperson said.
The Internet Association weighed in on the
recent U.S. Supreme Court ruling in Spokeo v. Robins, in which Spokeo – which brands itself as the
“people search engine” - was accused of violating the federal Fair Credit
Reporting Act when it published false, albeit, positive, information about a
man. In that case, the Supreme Court determined plaintiffs must show some
evidence of concrete harm to have standing to sue.
our brief, we explained that Internet companies are ‘frequently targeted by
opportunistic lawsuits,’ like the one in Spokeo, under various statutes with a
private right of action, including the FCRA and the Telephone Consumer
Protection Act,” the Internet Association wrote in a blog post. “In these
cases, the alleged harm is ‘a bare statutory’ violation and not a ‘concrete,
actual harm.’ We called on the Supreme Court to course correct on this issue
since our member companies frequently have to settle these lawsuits despite a
lack of concrete harm to the plaintiffs involved.”
Specific to the Facebook case, the plaintiffs
alleged the company violated BIPA by not properly informing the plaintiffs that
their biometric data was being collected and stored through Facebook’s facial
recognition software and Tag Suggestions; by not properly detailing the purpose
for or length of time the data would be collected, stored or used; by not
providing a timetable of when the data would be destroyed; and by failing to
receive written permission from the plaintiffs to collect, use or store the
data in the first place.
But it will be interesting
to see if the Spokeo ruling is followed in the Facebook case – if there is no
harm resulting in the use of the facial recognition technology, things could
take a different turn.
Some fear that a plaintiff’s win in the Facebook
case could spell disaster for any business that uses biometrics – regardless if
they’re headquartered in Illinois.
Plaintiffs’ lawyers have used Illinois’ venue laws
– which govern whether a lawsuit can be heard in a particular county, state or
federal jurisdiction – to bring huge numbers of asbestos-related litigation in
such venues as downstate Madison County.
Donato’s ruling that even cases heard outside of
Illinois should follow Illinois law could create another large litigation field
for enterprising attorneys looking to sue under BIPA.
Better to beg
for forgiveness than ask
The battle over biometrics usage may
come down to this: Privacy advocates believe companies should ask before
obtaining such sensitive information, while businesses say, “I don’t think so,”
said Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation,
a California nonprofit digital rights group.
Perhaps the underlying problem
isn’t so much that biometric information is collected and stored, but that in
so doing, it becomes liable to attack.
“If someone is trying to hurt us,
whether it’s through some kind of fraud or identity theft or stalking us, we
can change all sorts of identifiers - we can change our Social Security number;
in extreme cases, you can even change your name - but you can’t change your
face,” Schwartz said.
Further complicating the matter is
the lack of black-and-white clarity surrounding questions of privacy. For one,
different generations have different notions of privacy; millennials who grew
up with social media tend to be more open than their parents and grandparents.
And not everyone believes heavy regulation is best.
“Our members believe that users should be able
to make their own privacy decisions,” said Abigail Slater, vice president of
legal and regulatory policy at the Internet Association. “They provide
this choice to users by offering robust and often granular privacy settings on
For its part, a Facebook spokesperson said the
company always has been upfront about how tagging works. It posted an original note in 2010 that explained
facial recognition was used in the new tool.
we were really trying to hide it, we wouldn’t have written the note,” the
spokesperson said, adding that users have the option to control their photo
tagging settings. “We really feel we’re empowering people to make the decision
that’s best for them.”
The plaintiffs in the Facebook class action
allege the company’s explanation of Tag Suggestions are “on remote sections of
its website,” so the outcome of this case could also set precedent for how
visible companies must make their biometrics information to consumers.
As litigation swirls on these and other related questions,
Christopher Dore, an attorney with Edelson PC in Chicago, which is representing
the plaintiffs in the Facebook case, said there is a bottom line for businesses
operating in Illinois.
you make the decision to start collecting or processing sensitive data, triple
check that you’re following the rules,” said Dore. “For biometric information, that’s of tenfold importance.”
Transparency is key
Schwartz noted Facebook does not utilize its facial
recognition system in Canada and the European Union because those countries
were concerned it would violate privacy laws. Users can manually tag people in
photos, but no tag suggestions are made based on face templates.
“There are laws in those countries similar to the ones in Illinois
that protect consumers’ privacy,” Schwartz said. “And Facebook did not fall.”
Gautam Hans, policy
counsel at the Center for Democracy and Technology-San Francisco, said he
wasn’t against the use of biometrics, but transparency and clarity were
essential. Current issues seem to stem from information asymmetry, where one
party knows more about something than another party.
“Oftentimes… you give your information to a company, and you
don’t know what happens to it …” he says. “It needs to be clear to a consumer
what is being collected, why it’s being collected, who it’s going to be shared
with and how long it will be stored, in part because of the indubitability of
the information … Only with that level of understanding can people make really