Most Facebook users have encountered a key feature of the social media service when uploading photos: suggested tags based on facial recognition (“Tag Suggestions”). This feature has remained unchallenged until recently, when a class-action lawsuit was filed against the tech giant, claiming that key elements of this feature violate Illinois’ Biometric Information Privacy Act (BIPA), a law enacted in 2008. The law, which was originally drafted by Illinois’ ACLU chapter, states that private entities collecting biometric information (defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”) must provide public information about their data retention policy as well as guidelines for data destruction. BIPA also prevents companies from selling or trading such information, and requires that they protect such data as they would other confidential or sensitive information.
Although Facebook is based out of California, three Illinois plaintiffs – Nimesh Patel, Adam Pezen, and Carlo Licata – claim that Facebook has violated the law. The case was initially transferred to a California court, where Facebook requested to have the motion dismissed due to a requirement in its company’s terms and conditions that all cases litigated against them must cite only California laws. The motion also argued that BIPA could not cover the case anyway because the image scans implemented by Tag Suggestions did not technically constitute scans of hand or face geometry, among other reasons. However, the judge denied the request to dismiss the case, stating that the defendants have a “plausible claim” to proceed with the suit.
Facebook isn’t the only company to face such lawsuits. Shutterfly settled a similar suit filed under the statute, Snapchat is currently fighting a BIPA case for its animated filters, and Google argues that the law is unconstitutional due to its ostensible nationwide assertion of state law. Digital privacy advocates, including the ACLU and the Electronic Frontier Foundation (EFF), view BIPA as a step in the right direction in protecting users’ privacy. Such technologies, they claim, could set a risky precedent for data collection and retention unless curbed by sensible legislation. On the other hand, some feel that the law is too broad in both scope and application; Illinois State Senator Terry Link, a co-sponsor of BIPA, proposed an amendment that would restrict the law from applying to digital photos – effectively ending the lawsuits against Facebook, Snapchat, and Google. While the bill did not pass, it stirred up considerable controversy, with opponents suggesting that he succumbed to lobbyists. (The plaintiffs in the case even requested that Facebook provide documents about their lobbying activity, to which Facebook responded with a few heavily redacted documents.) The considerable large-scale disagreements in this case make it uniquely important to legislative future.
And while entities may disagree on the merits of the case as well as the law in general, what is not in disagreement is the fact that the outcome of this case could set a profound precedent. If the lawsuit is successful, it could open the floodgates to much more litigation, as well as more privacy-focused legislation. Texas is currently the only other state to have such legislation (although in the case of Texas, only the state’s attorney general can file a lawsuit), but this could very well change with our increasing awareness of digital privacy and data collection. No doubt both advocacy groups like the EFF as well as tech companies would ask for clear laws detailing the rights of users vs. companies, though the specifics would obviously differ. While the law only covers one specific area of digital privacy, it could have long-term legal implications beyond biometric scans.