Facebook can’t wiggle out of facial recognition lawsuit, judge says

Three years ago, Facebook was hit with a class action lawsuit over allegedly violating privacy rights by “secretly” sticking users’ faces into its huge database without their consent.

No, you can’t wiggle out of this one, a San Francisco federal judge said a year later, refusing to approve Facebook’s request to toss the suit.

On Monday, he said it again. In his order, US District Judge James Donato scolded Facebook, noting “a troubling theme” in the social media network’s “voluminous” submissions (there have been hundreds of pages) of briefs, documents, emails, deposition testimony and expert opinions.

Namely, they show that Facebook’s reverting to “the faulty proposition” that plaintiffs must show an “actual” injury beyond the invasion of the privacy rights afforded by Illinois’s 2008 Biometric Information Privacy Act (BIPA), over which the class action suit was filed.

That’s not what the court’s prior decisions said, Donato wrote.

The Court expressly rejected that contention in considerable detail in the class certification order and the order finding… standing to sue.

A class was certified for that exact reason. BIPA does not require additional proof of individualized “actual” harm, and so the question of whether Facebook is liable can be decided in “one stroke” for the class as a whole without a likelihood that individualized inquiries would overwhelm commonality and predominance.

Donato said that to contend otherwise is to “misread and misrepresent the Court’s orders.”

Therefore, Facebook’s got to face the facial-recognition music, he said. Donato dismissed requests by both parties to get a summary judgment decision, given that the parties can’t agree on so many things, including whether the collection of “facial geometry” amounts to facial recognition or not.

From the order:

The parties unleash volleys of other competing evidence. [It’s up to a jury] to resolve the genuine factual disputes surrounding facial scanning and the recognition technology.

He also dismissed Facebook’s argument that it’s immune from having to pay a minimum of $1,000, and as much as $5,000, for each violation of the law. That’s “not a sound proposition,” Donato wrote.

The lawsuit is one of the first tests of BIPA.

The suit claims that the social network violated Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent, collecting it and squirreling it away in what Facebook claims is the largest privately held database of facial recognition data in the world.

Specifically, the suit claims that Facebook didn’t do any of the following:

  • Properly inform users that their biometric identifiers (face geometry) were being generated, collected or stored.
  • Properly inform them, in writing, what it planned to do with their biometrics and how long the company planned to collect, store and use the data.
  • Provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers of users who don’t opt out of “Tag Suggestions”.
  • Receive a written release from users to collect, capture, or otherwise obtain their biometric identifiers.

BIPA bans collecting and storing biometric data without explicit consent, including “faceprints.”

Facebook argued in its May 2016 motion to dismiss the suit that users can’t file a complaint under BIPA, since the Facebook user agreement says that California law would govern any disputes with the company. Besides, Facebook said in this earlier motion, BIPA doesn’t apply to Facebook’s facial tagging suggestions for photos.

Wrong and wrong again, Donato said in rejecting Facebook’s 2016 motion to dismiss: going by Illinois law is just fine.

Also, Facebook’s contention that BIPA doesn’t cover faceprints is likewise weak, he said, given that the law, written as it was in light of modern technology, “regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information by “[m]ajor national corporations””, among others.

BIPA specifically defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” Donato wrote.

A full trial is slated to start on 9 July.