Facebook has numerous privacy settings to protect your profile information from other users, but what about protecting your privacy from the social media company itself? On April 21, 2015, a class action suit was filed against Facebook in the Northern District of California for violating an Illinois privacy law, the Biometric Information Privacy Act (BIPA), enacted in 2008. Among other things, the law requires informed consent prior to collecting biometric information and prohibits profiting from its use. The lawsuit is based on Facebook’s face-scanning technology that uses facial geometry to tag users in photographs.
In 2016, Facebook challenged the claim, arguing that California’s choice of law precluded an application of Illinois law and made a 12(b)(6) motion for failure to state a claim. The motion was denied. In 2017, Facebook made a second motion to miss that was also denied. The class was certified in April of this year, completing the last step in finalizing the suit as a class action.
The most recent development in the case was a decision made on May 14. During that hearing, Facebook argued that there must be an actual injury for the lawsuit to be successful. U.S. District Judge James Donato disregarded the “faulty proposition” and denied both parties’ cross motions for summary judgement. The judge stated that summary judgment was not proper due to factual differences articulated by the parties. The dispute over how Facebook’s photo-tagging software processes faces is the crux of the case and will determine if Facebook violated BIPA. The users argue that the software collects scans of faces because it uses regions of a face to recognize who is in the photographs. Facebook countered, claiming that the technology analyzes all pixels in the photograph rather than any particular human feature; it “learns for itself” how to determine different faces.
Judge Donato noted that this kind of factual divergence is “a quintessential dispute” for a jury to decided. The class “identified more than enough evidence to allow a reasonable jury to conclude their biometric data was harvested.” The users also uncovered internal emails that indicated Facebook knew it was collecting information typically referred to as biometric data. The trial date is set for July 9 in San Francisco. If the lawsuit is successful, Facebook will have to pay $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. With over 200 million Facebook users in the US, this could be a multi-billion-dollar invasion of privacy.
The case is In re Facebook Biometric Information Privacy Litigation, 15-cv-03747.
Brittany Levine is with Austin Law Firm in Raleigh, North Carolina.