Facebook users have brought a class action lawsuit under the Illinois Biometric Information Privacy Act (“BIPA”) challenging Facebook’s collection of their biometric face information without notice or consent. Facebook collects this information for use in its Tag Suggestions tool, which uses facial recognition software to identify the faces of users in images uploaded to Facebook. The U.S. District Court for Northern California denied Facebook’s many motions to dismiss and for summary judgment, and ultimately certified the class. Facebook sought permission to appeal the class certification at the Ninth Circuit, which was granted. Facebook claims that the class should not have been certified because Plaintiffs have not alleged any harm beyond Facebook’s violation of BIPA. Plaintiffs argue, and the District Court agreed, that an individual has standing if they allege a violation of BIPA.
Whether the collection of an individual’s biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing.
Facebook users in Illinois allege that Facebook collected their biometric data without notice or consent through the Tag Suggestions tool, which scans for and identifies people in photographs users upload to Facebook. Tag Suggestions works through a four-step facial recognition process. First, the tool tries to detect faces in uploaded images. The tool then standardizes, or “aligns,” the face along a set of parameters, such as orientation and size. In the third step, the software computes a “face signature,” which is a string of numbers that represents that particular face. The software then searches a database of stored “face templates” for a match. The stored face templates are calculated based on other photographs that a user is tagged in. A match occurs when the face signature falls within a threshold of similarity to a stored face template, at which point Facebook suggests tagging the user to whom the face template is assigned. Facebook claims that they only store face templates, and not face signatures.
Facebook estimates that 90% of faces appearing in photographs are successfully detected, and of those, 85% are successfully aligned. Thus, approximately 76% of faces appearing in photographs have face signatures computed. According to Facebook, in 2014, it was able to match around 67% of detected faces with users.
The Illinois Biometric Privacy Information Act (“BIPA”) requires a corporation that obtains a person’s biometric information to 1) obtain a “written release” from them prior to collection, 2) to provide them notice that their information is being collected and stored, and 3) to state the duration the information will be collected, stored and used as well as its specific purpose. The law gives a private right of action to anyone “aggrieved” under the statute. Several courts have considered, and disagreed on, the meaning of the term “aggrieved” under BIPA. While some courts have considered a violation of the biometric notice and consent requirements to be a privacy violation that is actionable in itself, other courts have held that an aggrieved party must both allege a technical violation of the law combined with a separate and additional claim of injury.
The Illinois Legislature passed the BIPA in 2008 to protect the “welfare, security, and safety” of Illinois residents by “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric information.” Seeing the use of biometric identifiers growing, especially in the financial sector, the Illinois Legislature was cognizant that unlike other unique identifiers, biometrics are biologically unique and cannot be changed even if compromised. Furthermore, knowing that the implications of using of biometric identifiers for a commercial purpose is unknown, the Illinois Legislature intended BIPA to address the concerns of a wary public that may be deterred from transactions that require biometric identification.
To combat these worries, BIPA requires a corporation that obtains a person’s biometric information to first obtain a “written release” from the customer or the customer’s representative. The law also requires a corporation that seeks to obtain biometric information from a customer to first provide “in writing” various information: (1) that the biometric information is being “collected” (2) that the biometric information is being “stored;” (3) the “length of term” that that the biometric information will be collected, stored, and used; and (4) the “specific purpose” for the collection, storage, and use of the information.
Federal courts are courts of limited jurisdiction, meaning that they may only consider a case if the subject matter and parties meet certain requirements. One of these requirements is that the plaintiffs have “standing.” In Spokeo v. Robins, the Supreme Court decided that, for a plaintiff to have standing, they must demonstrate that they have “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.'” The Court went on to say that Congress can create statutory rights and causes of action “that will give rise to a case or controversy where none existed before,” and that “the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact. In other words, a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified.” The Ninth Circuit has recognized that state legislatures can also create interests that support standing in federal courts.
Facebook users filed several lawsuits against Facebook under the Illinois Biometric Information Privacy Act (“BIPA”). The cases were consolidated in the U.S. District Court for the District of Northern Califnornia. Facebook sought to dismiss the case, arguing that Plaintiffs lacked standing because they had only alleged that Facebook collected their biometric data in violation of BIPA, but did not allege any actual damages. Plaintiffs moved for the court to certify the class under Federal Rule of Civil Procedure 23(b)(3). The District Court rejected Facebook’s objections to standing and class certification, certifying the class of Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011. The District Court recognized that the Illinois legislature codified a right to privacy in personal biometric information, and that it was the judgment of the legislature that violation of BIPA’s procedures would cause actual and concrete harm sufficient to confer Article III standing on those whose rights were violated. Facebook sought permission from the Ninth Circuit to appeal the District Court’s decision, which the Ninth Circuit granted.
EPIC has long advocated for strict limits on the use of biometric data and facial recognition software. EPIC argues that biometric data is personally identifiable information that cannot be changed, even if compromised. Improper collection of this information can contribute to identity theft, inaccurate identifications, and infringement on constitutional rights. Strict limits on biometric data is the best practice to prevent abuse.
EPIC has been long been concerned with Facebook’s privacy practices and with Facebook’s use of facial recognition software. In 2011, EPIC and other consumer protection groups complained to the FTC about Facebook’s face identifying software. In 2018, EPIC again complained to the FTC about Facebook’s use of face recognition software, and the FTC’s failure to enforce the 2011 Facebook consent order.
EPIC has filed amicus briefs several cases arguing that violation of a statutory duty to protect data is sufficient to confer standing. Earlier in 2018, EPIC filed an amicus brief in the Illinois Supreme Court in Rosenbach v. Six Flags, another case concerning who has standing to sue under Illinois’s Biometric Information Privacy Act. EPIC also filed an amicus in In re OPM, arguing that “when personal data is collected by a government agency, that agency has a constitutional obligation to protect the personal data it has obtained.”
U.S. Supreme Court (No. 19-709)
- Facebook’s Petition for a Writ of Certiorari (Dec. 2, 2019)
U.S. Court of Appeals for the Ninth Circuit (No. 18-15982)
- Facebook’s Opening Brief (Public Redacted Version) (Dec. 7, 2018)
- Amicus Briefs in Support of Appellant Facebook
- Amicus Briefs in Support of Plaintiffs-Appellees
- Appellees Facebook Users’ Motion to Vacate Order Granting Interlocutory Appeal (Jan. 31, 2019)
- Appellant Facebook’s Opposition to Motion to Vacate Order Granting Interlocutory Appeal (Feb. 11, 2019)
- Appellees Facebook Users’ Reply to Opposition to Motion to Vacate Order Granting Interlocutory Appeal (Feb. 19, 2019)
- Oral Argument (June 12, 2019) (Audio|Video)
- Opinion (Aug. 8, 2019)
- Order Denying Rehearing and En Banc Review (Oct. 18, 2019)
U.S. District Court for the Northern District of California (No. 3:15-cv-0374)
- Consolidated Class Action Complaint (Aug. 28, 2015)
- Facebook’s Answer (Jun. 2, 2016)
- Facebook’s Amended Answer (Nov. 11, 2016)
- Renewed Motion to Dismiss for Lack of Subject Matter Jurisdiction
- Class Certification
- Motion for Class Certification (Dec. 8, 2017)
- Facebook’s Opposition to Motion for Class Certification (Jan. 26, 2018)
- Plaintiffs’ Reply to Opposition to Motion for Class Certification (Feb. 9, 2018)
- Order Certifying Class (Apr. 16, 2018)
- EPIC FTC Complaint: In re Facebook and Facial Recognition (2018)
- EPIC FTC Complaint: In re Facebook and the Facial Identification of Users (2011)
- EPIC Amicus: Rosenbach v. Six Flags
- EPIC Amicus: In re Office of Personel Management
- EPIC Amicus: Attias v. Carefirst, Inc.
- EPIC Amicus: In re SuperValu Customer Data Security Breach Litigation
- EPIC Amicus: Spokeo, Inc. v. Robins
- EPIC Amicus: Eichenberger v. ESPN
- Allison Grande, Facebook Row Fair Game For Ill. Privacy Law, 9th Circ. Told, Law360 (Dec. 18, 2018)