chevron-down Created with Sketch Beta.

Business Law Today

June 2024

June 2024 in Brief: Internet Law & Cybersecurity

Juliet Marie Moringiello

June 2024 in Brief: Internet Law & Cybersecurity
iStock.com/FactoryTh

Jump to:

Ninth Circuit Finds That Facebook’s “Face Signature” Technology Does Not Violate Illinois BIPA

By Kevin Liu, Pilgrim Christakis LLP

On June 17, 2024, the Ninth Circuit affirmed the dismissal of a consumer’s privacy claim against Meta Platforms, Inc. (Facebook), holding that the company’s creation of “face signatures” from photos does not violate the Illinois Biometric Information Privacy Act (BIPA).

BIPA prohibits the collection of a person’s “biometric identifier or biometric information” without prior written authorization. A “biometric identifier” is a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and it “does not include information derived from items or procedures excluded under the definition of biometric identifiers,” such as photographs. BIPA further requires companies to “develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.”

In 2010, Facebook launched a feature called “Tag Suggestions,” which analyzes whether a user’s Facebook friends are in photos uploaded by the user. If there is a match, then Facebook suggests that the user “tag” their friend. This analysis involves an algorithm that analyzes photos uploaded to Facebook for faces and creates a “face signature”—a string of numbers that represents a particular image of a face. The face signature is compared to face templates of Facebook users to see if there is a match, and the face signature is immediately deleted thereafter.

Plaintiff Clayton Zellmer is not a Facebook user. Zellmer sued Meta Platforms alleging that his friends—who are Facebook users—uploaded photos of Zellmer onto Facebook, and that Facebook collected his biometric identifiers when it created “face signatures” of his face from those photos, without Zellmer’s authorization. Zellmer further alleged that Facebook lacked written, publicly available policies identifying its retention schedules for permanently destroying biometric identifiers and biometric information of non-users.

On summary judgment, the district court ruled in Meta’s favor, finding that BIPA does not protect non-users, noting that “it would be patently unreasonable to construe BIPA to mean that Facebook was required to provide notice to, and obtain consent from, non-users who were for all practical purposes total strangers to Facebook, and with whom Facebook had no relationship whatsoever.” The court found that this position was “untenable” as it put Facebook in the “impossible position” of “obtain[ing] consent from every stranger whose face happened to be caught on camera.”

On appeal, the Ninth Circuit affirmed the dismissal, but on different grounds. The appellate court first rejected the district court’s findings, noting that the statutory text of BIPA expressly protects both “persons” and “customers”—thus BIPA envisions protecting the privacy of non-users “regardless of any preexisting relationship with the party alleged to have violated BIPA.”

However, this alone did not end the inquiry. The Ninth Circuit then analyzed the statutory text of BIPA, noting that its prohibitions specifically concern the collection of “identifiers,” which, by its ordinary meaning, means “one that identifies.” For instance, the items listed in the definition of “biometric identifier”—i.e., retina, iris scan, fingerprint, voiceprint, scan of hand or face geometry—are all items that are “unique to a person” and “can thus be used to identify a person in the proper context.” Likewise, the definition of “biometric information” expressly requires said information to be “used to identify an individual.” In contrast, Facebook’s “face signatures” are strings of numbers that represent a particular image of a face; they “do not reveal any geometric information about the detected face in the image, nor do they correspond to facial features like the eyes or nose, or distances between them.” They are “an abstract, numerical representation of a face crop that is computed by millions of pixel comparisons performed by the proprietary algorithm.” “No one—not even Facebook—can reverse-engineer the numbers comprising a given face signature to derive information about a person.” In other words, the Ninth Circuit found that since face signatures cannot be used to identify people, they are not “biometric identifiers” nor “biometric information” as defined under BIPA.

As for Zellmer’s claim that Facebook lacked written, publicly available policies identifying its retention schedules for permanently destroying biometric identifiers and biometric information of non-users, the appellate court shot down this claim for lack of Article III standing, as Zellmer had failed to explain how he had been harmed in any “‘concrete and particularized’ way.” And since the Ninth Circuit found that Facebook’s face signatures were not biometric identifiers nor biometric information, the creation of the face signatures necessarily “does not lead to the ‘very substantive harm targeted by BIPA.’” 

    Editor