• by Wendy Davis  @wendyndavis, November 13, 2015

A group of Illinois Facebook users are urging a federal judge to allow them to proceed with a lawsuit accusing the company of violating an Illinois privacy law by storing people's "faceprints."

The Illinois residents allege that the social networking service runs afoul of a 2008 biometric privacy law that requires companies to obtain written releases from people before collecting a "scan of hand or face geometry" and other biometric data, like fingerprints and voiceprints. The statute also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.

The lawsuit, brought earlier this year by Carlo Licata and other Facebook users, stems from the company's automatic tagging feature, which recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of photos posted by users.

Facebook has asked U.S. District Court Judge James Donato in San Francisco to dismiss the potential class-action lawsuit for several reasons, including that its terms of service provide that California law will govern all disputes. California doesn't have a biometric privacy law comparable to the one in Illinois.

But lawyers for the consumers counter in papers filed this week that Illinois' interest in "protecting its citizens' privacy" outweighs Facebook's terms of service. They argue that Facebook shouldn't be allowed to "undercut Illinois' fundamental public policy protecting biometric data" by insisting that users agree to the site's terms.

Facebook also says that the Illinois Biometric Information Privacy Act doesn't apply to faceprints derived from photos. The company argues that the restrictions only apply to faceprints derived from physical scans, such as those that 'require a person to present his or her hand or face itself at a console or other type of scanner.'"

The photo service Shutterfly, which is facing a similar lawsuit in Illinois, is making the same argument. The Illinois law excludes photos from the definition of "biometric identifiers," even though the statute says it applies to scans of face geometry. Another provision of the law says that "biometric information" doesn't include information derived from photos.

Licata and the other Facebook users say the company's interpretation of the law is "illogical" and "would produce absurd results."

"Under Facebook’s interpretation, a voiceprint extracted from a wiretap would not be regulated by BIPA because it was not collected 'in person.' Nor would be a retina scan extracted from a photograph shot by a hidden camera with a high-powered zoom lens," the users say. "But a retina scan or voiceprint extracted from a knowing subject who presents himself or herself at a 'console' or 'kiosk' would be regulated."

No judges have yet decided whether the Illinois law applies to faceprints that are extracted from photographs.

Donato has scheduled a conference in the case for Dec. 16.