• by Wendy Davis  @wendyndavis, December 31, 2015

In a first, a federal judge has ruled that a biometric privacy law in Illinois potentially prohibits Web companies from compiling databases of faceprints.

U.S. District Court Judge Charles Norgle in Illinois this week rejected online photo service Shutterfly's bid to dismiss a lawsuit alleging that it violated the Illinois Biometric Information Privacy Act. That law, which dates to 2008, prohibits companies from storing people's "biometric identifiers," including scans of face geometry, without their consent.

The ruling grew out of a potential class-action lawsuit filed in June by Robert Norberg. He alleged that his faceprint was added to Shutterfly's database after his picture was uploaded to the online photo service, and tagged with his name, by someone else.

Shutterfly argued that the Illinois privacy law didn't apply to faceprints derived from photos. The statute excludes photos from the definition of "biometric identifiers," but also includes scans of "face geometry" in the definition.

Norgle rejected that argument, writing that Norberg "plausibly stated a claim" under the Illinois law.

Facebook is facing a similar lawsuit in federal court in the Northern District of California. Like Shutterfly, Facebook argues that the Illinois law doesn't apply to faceprints derived from photos. Facebook also says that lawsuit should be dismissed on the grounds that California doesn't have a biometric privacy law comparable to the one in Illinois; Facebook's terms of service provide that California law will govern all disputes.

A judge in California heard arguments in that matter earlier this month.