By Julie Liu

Facebook’s facial recognition technology has evolved to a point where it is as disturbing to many users as it is helpful. Earlier this month, the District Court for the Northern District of California denied a motion to dismiss a class action alleging that Facebook had unlawfully collected biometric data. In particular, plaintiffs took issue with Facebook’s “tags suggestion” feature, which identifies subjects in users’ photos and suggests names for users to tag faces in photos with.

The action grew out of three separate suits by Illinois-based Facebook users, who each sued Facebook in 2015. The plaintiffs looked to the Biometric Information Privacy Act (BIPA), an Illinois law which prohibits “private entities” (including individuals and companies) from obtaining an uninformed, non-consenting subject’s “biometric identifier or biometric information.” Notably, the Act defines “biometric identifier” to include scans of “face geometry.” Further, “‘biometric information’ means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”

Facebook suggests tags using facial recognition software that scans uploaded photos and generates a “template” for individuals based on features such as “the distance between the eyes, nose and ears.” The plaintiffs allege that Facebook violated BIPA by collecting and storing users’ biometric data without: informing them that it was doing so, obtaining users’ written consent, or providing guidelines for permanently destroying the data.

At Facebook’s request, the three pending cases were transferred from the Northern District of Illinois to the Northern District of California, where they were consolidated into a class action. Facebook filed a FRCP Rule 12(b)(6) motion to dismiss the complaint, arguing that the plaintiffs could not pursue a claim under BIPA because Facebook’s Terms of Use stipulate that California law governs their disputes. California law does not restrict the collection of biometric data. During the sign-up process, two plaintiffs had clicked a box indicating they had read and understood the Terms of Use, and the third had clicked a “Sign Up” box with language stating that clicking the box constituted assent to the user agreement. Despite finding that all plaintiffs agreed to Facebook’s user agreement, the court refused to enforce the California choice-of-law cause, finding it contrary to fundamental Illinois public policy. Specifically, the court referred to BIPA’s underlying policy of “protecting citizens’ privacy interests in their biometric data, especially in the context of dealing with ‘major national corporations’ like Facebook.”

Given that Facebook’s use of facial recognition technology has already raised serious privacy concerns for users, the decision seems like a win for millions in the U.S. seeking to protect their identity online and assert some control over the access and use of their identifying information by companies. Although the ruling establishes that the plaintiffs have a valid claim, we will have to see how the case proceeds in order to better understand the lawfulness of Facebook’s data collection.

Currently, BIPA is a unique law in the U.S.—Texas is the only other state with laws requiring the informed consent of individuals for purposes of collecting biometric data, or addressing the commercial use of biometric data at all. Other states may follow in kind in the near future; for example, a Washington State bill to protect consumers’ biometric information was introduced in 2015. Although it met opposition from business groups, it was still on the table as of earlier this year.

For the most part, Facebook has managed to avoid controversy in the launch of Moments, its photo-sharing app, in the EU and Canada. This is because the versions of the app available in these regions use object recognition instead of facial recognition. Rather than automatically identifying people in photos, the app groups together photos that may contain the same person.

Image Source: TECHMalak.com