• by Wendy Davis  @wendyndavis, April 6, 2015

Facebook has been hit with a lawsuit alleging that its collection and use of “faceprints” to identify users violates an Illinois law regarding biometric data.

“Not only do Facebook's actions controvert industry best practices, they also violate the privacy rights of Illinois residents,” Carlo Licata alleges in a potential class-action complaint filed in state court in Cook County.

Licata's lawsuit stems from Facebook's automatic photo-tagging feature, rolled out in 2010. That feature recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of users' photos.

Licata alleges that Facebook's compilation of that database runs afoul of the Illinois Biometric Information Privacy Act, which requires companies to obtain written releases from people before collecting “face geometry” and other biometric data. The Illinois law, passed in 2008, also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.

Facebook allows people to opt out of being automatically tagged, but Licata argues Facebook's opt-outs don't satisfy the Illinois law's requirements.

“Facebook doesn't disclose its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them,” the lawsuit alleges. “With millions of users in the dark about the true nature of this technology, Facebook secretly amassed the world's largest privately held database of consumer biometrics data.”

The complaint adds that Facebook “doesn't even require users to acknowledge its collection of their biometric data, let alone receive a written release from users before collecting their faceprints.”

A Facebook spokesperson says the lawsuit is “without merit” and that the company will defend itself “vigorously.”

When Facebook rolled out face-tagging in 2010, the feature drew some criticism by lawmakers and privacy advocates, who said that the company should get people's explicit consent before subjecting them to the automatic tagging technology.

But until this lawsuit was filed last week, no one appears to have suggested that Facebook's facial recognition technology potentially violated any state laws.

Illinois lawmakers -- who enacted this measure two years before Facebook rolled out its facial recognition program -- didn't reference social networks in the text of the statute. Instead, the law discusses the growing use of biometrics in “the business and security screening sectors,” and cites examples like “finger-scan technologies at grocery stores, gas stations, and school cafeterias.”

Santa Clara University law professor Eric Goldman points out that lawmakers in Illinois might not have envisioned how companies like Facebook would use faceprints today. “It's a niche statute, enacted to solve a particular problem,” he says. “Seven years later, it's being applied to a very different set of circumstances.”

But Licata's attorneys say that the Illinois legislature presciently envisioned the potential threat posed by biometric databases. “We don't know what would happen if hackers came in and stole this information,” says attorney Jay Edelson, who heads the law firm representing Licata. “No company can guarantee that they won't be hacked.”