Facebook Facial Tagging Biometric Lawsuit Moves Forward

A federal district court denies Facebook's request to dismiss a case that alleges that the social media giant violated Illinois biometric privacy laws with its photo-tagging feature.



Facebook F8: AI, Future Of Apps On Display
Facebook F8: AI, Future Of Apps On Display
(Click image for larger view and slideshow.)

Facebook has lost the first round in a legal fight that alleges that the social media giant's photo tagging violates privacy rights.

A federal court in San Francisco has ruled that Illinois biometric privacy laws trump California laws, even if users have signed a terms of use agreement that states California laws would apply. The ruling may set a precedent that Illinois strict biometric privacy laws could override other state laws, a potentially significant issue as facial recognition becomes more pervasive in its use by Facebook and other tech titans.

A US District Judge James Denato said on Thursday that plaintiffs Nimesh Patel, Adam Pezen, and Carlo Licata can move forward in their Facebook biometric information privacy lawsuit. Although the plaintiffs are Illinois residents who filed in Illinois, all parties in the case agreed to transfer the case to the US District Court of Northern District of California, according to court documents. Donato denied Facebook's request to dismiss the case and set a case management conference for June 15.

(Image: ymgerman/iStockphoto)

(Image: ymgerman/iStockphoto)

The lawsuit, filed in 2015, argued that Facebook "amassed users' biometric data secretly and without consent," according to a PDF of court documents obtained by InformationWeek. The parties specifically cited Facebook's use of its Tag Suggestions program, in which users can upload photos to their Facebook account and tag the photos with an individual's identity.

According to the lawsuit, the parties filed their class action lawsuit under the Illinois Biometric Information Privacy Act (BIPA ). Facebook had argued that the plaintiffs had signed a user agreement that stipulated California state laws would govern the agreement. But Donato ruled the contractual choice of law would not apply.

In his ruling, he stated:

The plain language of BIPA indisputably evinces a fundamental privacy policy of Illinois.

It is equally undeniable that enforcing the contractual choice of California law would be contrary to this policy in the starkest way possible. Facebook tries to downplay the conflict as merely the loss of a claim. But if California law is applied, the Illinois policy of protecting its citizens' privacy interests in their biometric data, especially in the context of dealing with "major national corporations" like Facebook, would be written out of existence. That is the essence of a choice-of-law conflict. The conflict is all the more pronounced because California has no law or policy equivalent to BIPA. Unlike Illinois, California has not legislatively recognized a right to privacy in personal biometric data and has not implemented any specific protections for that right or afforded a private cause of action to enforce violations of it.

Illinois' greater interest in the outcome of this BIPA dispute is also readily apparent. The fundamental question on this point is "which state, in the circumstances presented, will suffer greater impairment of its policies if the other state's law is applied." The answer here could not be clearer. Illinois will suffer a complete negation of its biometric privacy protections for its citizens if California law is applied. Facebook makes the implausible argument that California has the superior interest of needing to provide "certainty and predictability to technology companies like Facebook" by "enforcing choice-of-law provisions." This makes little sense.

[Editor's note: References to specific document numbers and case numbers in the above quote have been omitted for easier reading.]

The judge added that, while California has a significant interest in enforcing contracts executed by its citizens and businesses, Illinois in this particular case has a "case-specific interest" in protecting its residents from losing statutory protections.

[Read Facebook Faces Trouble in France for Tracking Non-Users.]

Although the judge noted that further facts in the case may emerge that could affect the plaintiff's BIPA claims, for now the court accepts their allegations that Facebook's face recognition technology involves scanning a person's face geometry and does it without the plaintiff's consent.

The plaintiffs are seeking a jury trial and $75,000 in damages.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service