Biometric Data Privacy: Instagram to Pay $68.5M in Class Action Settlement

Meta, the parent company of Instagram, is facing a class action lawsuit focused on biometric data privacy. The lawsuit (Parris v. Meta Platforms, Inc.) alleges that Instagram collected and stored users’ biometric data in violation of Illinois’ Biometric Information Privacy Act (BIPA). The company denies any wrongdoing, but it has agreed to pay a $68.5 million settlement.

Individuals who used Instagram between Aug. 10, 2015, and Aug. 16, 2023, may be entitled to a piece of the settlement. The final approval hearing for the settlement will take place on Oct. 11.

As biometric data continues to proliferate, regulations are evolving, companies must work to remain compliant, and individuals must consider what they can do to protect their data.

Illinois Legislation

BIPA went into effect in 2008. “Illinois’ BIPA is the first of its kind in the US and remains the most stringent,” says Eve Maler, chief technology officer of identity and access management software company ForgeRock.

Illinois is not the only state to have a biometric data privacy law, but BIPA includes a unique element: private right of action. It allows individuals to file lawsuits against corporations that allegedly violate the law.

“Other state biometric privacy laws lack a private right of action, leaving it to enforcement government agencies, such as state attorneys general,” explains Bill Roberts, co-chair of the data privacy, protection, and litigation group at law firm Day Pitney.

Although BIPA has been around since 2008, Roberts points to a 2019 case (Rosenbach v. Six Flags Entertainment Corp.) that has fueled more cases related to BIPA. Stacy Rosenbach sued the amusement park because it took her son’s fingerprints without the notice and consent required by BIPA, according to American Civil Liberties Union. A lower court ruled her son did not experience “actual injury” necessary to sue under BIPA.

The case made its way to the Illinois Supreme court, which ultimately ruled that individuals do not need to experience harm or injury to sue for damages under BIPA. “This was a significant departure from how most such laws are interpreted and has led to countless BIPA claims being filed in Illinois state court,” Roberts says.

Six Flags agreed to settle the case for $36 million.

The $65.8 million Instagram settlement is not the first time Meta has tangled with BIPA. In 2021, Facebook agreed to a $650 million settlement in another biometric privacy class action lawsuit.  

And litigation continues. X, the recently rebranded Twitter, is facing a class action lawsuit alleging BIPA violations.

“BIPA litigation is one of the most common types of privacy litigation that we see in the US today. That trend will not change any time soon,” says Cobun Zweifel-Keegan, managing director, Washington, D.C., at the nonprofit advocacy organization International Association of Privacy Professionals (IAPP).

Evolving Regulations

Other states, including Texas and Washington, have legislation that addresses the use of biometric data and privacy. New York City also has a law that regulates the collection and use of biometric data.

Several other states have their own proposed versions of a biometric data privacy law. For example, the Oregon Consumer Privacy Act (SB 619) is awaiting signature by Governor Tina Kotek. The legislation “defines personal and biometric data broadly,” according to an Oregon Department of Justice news release.

The state-by-state approach is often referred to as a regulatory patchwork, making compliance challenging. Will there be a federal law that provides comprehensive requirements for biometric data privacy?

Sen. Jeff Merkley (D-OR) introduced the National Biometric Information Privacy Act of 2020 (S. 4400) in the Senate, but the last action taken on that proposed legislation was in August 2020. But biometric data is still being scrutinized at the federal level. In May, the Federal Trade Commission (FTC) issued a policy statement on the misuses of biometric data and potential harm to consumers.

The FTC “warns that false or unsubstantiated claims about the accuracy or efficacy of biometric information technologies or about the collection and use of biometric information may violate the FTC Act.”

Regulation addressing biometric data privacy is likely to continue evolving at the state and federal level. “Over time, these regulations will start to resemble each other, similar to how GDPR gained copycats worldwide. Greater legal alignment will aid in organizations’ ability to comply, but these initial years will be messy,” ForgeRock’s Maler predicts.

Companies will need to remain aware of new and changing regulatory requirements and have the flexibility to comply, lest they face costly litigation and regulatory action. “Technical and operational responsiveness and an unwavering commitment to ethical usage will help enterprises emerge on strong footing,” Maler says.

While companies and regulators work through the next few years, biometric data will continue to proliferate and so will the potential harms associated with its misuse. Individuals will have to grapple with what that means for them. Keeping external biometrics private isn’t feasible in many cases. “Faces and fingerprints don’t make for good secrets,” Maler points out.

Individuals can scrutinize use agreements and opt-in policies to help control who has access to their biometric data, but not everyone is going to read the fine print as they sign up for new applications and share information in the course of their daily lives.

“US consumers have to rely on whatever privacy rights and protections their state provides for them,” says IAPP’s Zweifel-Keegan.

What to Read Next:

US Data Privacy Relationship Status: It’s Complicated

Congressional Subcommittee Holds Hearing on Data Privacy Policy

Special Report: Privacy in the Data-Driven Enterprise