last thing Facebook
Inc. needs is another privacy headache -- and it
now has a big one.
federal judge ruled Monday that millions of the social network’s users
can proceed as a group with claims that its photo-scanning technology
violated an Illinois law by gathering and storing biometric data without
their consent. Damages could potentially run into the billions of
dollars -- a fact that wasn’t lost on the judge, who was unsympathetic
to Facebook’s arguments for limiting its legal exposure.
case dates back to 2015, long before Facebook became mired in
controversy over revelations that millions of its users’ private
information fell into the hands of British consulting firm Cambridge
Analytica. It’s rare for
consumers to win class-action status in privacy cases. In Facebook’s
history, most such cases don’t
get that far.
has for years encouraged users to tag people in photographs they upload
in their personal posts and the social network stores the collected
information. The company has used a program it calls DeepFace to match
other photos of a person. Alphabet
Inc.’s cloud-based Google Photos service uses similar technology
and Google faces a lawsuit in Chicago like the one against Facebook in
San Francisco federal court.
companies have insisted in court that gathering data on what you look
like isn’t against the law, even without your permission. But under the
Illinois Biometric Information Privacy Act of 2008, the companies could
be fined $1,000 to $5,000 each time a person’s image is used without
said it’s reviewing the ruling. “We continue to believe the case has no
merit and will defend ourselves vigorously,” spokeswoman Genevieve
Grdina said in an emailed statement. A lawyer for the plaintiffs
declined to comment on Monday’s ruling.
Long History of Resolving Privacy Claims on the Cheap
company “seems to believe” that the lawsuit should be pursued by
individuals, not as a group, because “damages could amount to billions
of dollars,” U.S. District Judge James Donato wrote in the ruling.
company argued each individual user could be “aggrieved” differently,
and must prove that they suffered an actual injury beyond a privacy
right. Nonetheless, the judge said “substantial damages are not a reason
to decline class certification,” because he could reduce them at a later
stage of the litigation.
class of users approved by Donato dates back to June 2011, when Facebook
had an Illinois user base of more than 6 million people, according to
lawyers for the plaintiffs. “Although many individuals may not have had
enough tagged photos to generate a face template in Facebook’s database,
in January 2011 (i.e., before Facebook implemented tag suggestions for
all users) the average user was tagged in 53 photos, far more than the
10 needed to generate a face template,” according to a December court
advocates have said the billions of images Facebook is thought to be
collecting could be even more valuable to identity thieves than the
names, addresses, and credit card numbers now targeted by hackers. While
those types of information are mutable -- even Social Security numbers
can be changed -- biometric data for retinas, fingerprints, hands, face
geometry and blood samples are unique identifiers.
Are Some Ways Washington Could Rein In Facebook: QuickTake
Facebook Chief Executive Officer Mark Zuckerberg testified in Congress
last week over the Cambridge Analytica scandal, Illinois Senator Richard
Durbin accused the company of trying to water down the state’s biometric
afraid Facebook has come down to the position of trying to carve out
exceptions to that,” the Democrat said, according to a transcript of the
April 11 hearing. “I hope you’ll fill me in on how that is consistent
with protecting privacy.”
Illinois residents who sued argued the 2008 law gives them a “property
interest” in the algorithms that constitute their digital identities.
The judge has agreed that gives them grounds to accuse Facebook of real
which got the case moved to San Francisco from Illinois, argued the
users hadn’t suffered a concrete injury such as physical harm, loss of
money or property; or a denial of their right to free speech or
have struggled over
what qualifies as an injury to pursue a privacy case in lawsuits
accusing Facebook and Google of siphoning users’ personal information
from emails and monitoring their web-browsing habits. Suits over selling
the data to advertisers have often failed.
has ruled that the Illinois law is clear: Facebook has collected a
“wealth of data on its users, including self-reported residency and IP
addresses.” Facebook has acknowledged that it can identify which users
who live in Illinois have face templates, he wrote.
previously rejected Facebook’s argument that the case had to be
dismissed because the attempt to enforce Illinois law runs afoul of its
user agreement that requires disputes to be resolved under the laws of
California, where it’s based.
case is In re Facebook Biometric Information Privacy Litigation,
15-cv-03747, U.S. District Court, Northern District of California (San