Sorry, Facebook: that class action lawsuit over violating privacy rights with your facial recognition technology isn’t going away anytime soon.
A San Francisco federal judge on Thursday refused Facebook’s request to toss the lawsuit, letting the case move forward.
The lawsuit was filed by some Illinois residents under Illinois law, but the parties agreed to transfer the case to the California court, the court order showed.
What the suit claims: the social network violated Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent from the plaintiffs, Nimesh Patel, Adam Pezen and Carlo Licata, collecting it and squirreling it away in what Facebook claims is the largest privately held database of facial recognition data in the world.
Specifically, the suit claims that Facebook didn’t do any of the following:
- Properly inform users that their biometric identifiers (face geometry) were being generated, collected or stored
- Properly inform them, in writing, what it planned to do with their biometrics and how long the company planned to collect, store and use the data
- Provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of users who don’t opt out of “Tag Suggestions”
- Receive a written release from users to collect, capture, or otherwise obtain their biometric identifiers
The Illinois law in question – the Illinois Biometric Information Privacy Act (BIPA) – bans collecting and storing biometric data without explicit consent, including “faceprints.”
What Facebook argued in a motion to dismiss the suit: users can’t file a complaint under BIPA, since the Facebook user agreement says that California law would govern any disputes with the company. Besides, Facebook said in its motion, BIPA doesn’t apply to Facebook’s facial tagging suggestions for photos.
US District Judge James Donato didn’t buy it.
First of all, going by Illinois law is just fine. From his ruling:
The answer here could not be clearer. Illinois will suffer a complete negation of its biometric privacy protections for its citizens if California law is applied. In contrast, California law and policy will suffer little, if anything at all, if BIPA is applied.
Facebook’s contention that BIPA doesn’t cover faceprints is likewise weak, he said, given that the law, written as it was in light of modern technology, “regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information by “[m]ajor national corporations,” among others.
It specifically defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” the judge pointed out.