Siding against Facebook, a federal judge has refused to dismiss a lawsuit accusing the company of violating an Illinois biometric privacy law by compiling a database of "faceprints."
In a ruling issued Thursday, U.S. District Court Judge James Donato in San Francisco rejected Facebook's argument that the Illinois Biometric Privacy Information Act doesn't apply to faceprints that are derived from photos. "Facebook’s contention that the statute categorically excludes from its scope all information involving photographs ... is unpersuasive," Donato wrote.
The ruling stems from a 2015 lawsuit centered on Facebook's automatic photo-tagging feature, rolled out six years ago. That feature recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of users' photos.
The plaintiffs -- Carlo Licata, Adam Penzen and Nimesh Patel -- allege in a potential class-action that Facebook's compilation of a faceprint database runs afoul of Illinois' biometric privacy law, That measure requires companies to obtain written releases from people before collecting “face geometry” and other biometric data. The Illinois law, passed in 2008, also requires companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.
Facebook argued that the case should be dismissed for several reasons. Among others, Facebook contended that the Illinois law doesn't apply to faceprints derived from photos.
The Illinois law contains language excluding "photos" from the definition of "biometric identifiers." A separate definition of "biometric information" appears to go further by also excluding any information derived from photos.
Facebook argued that those definitions mean that "face geometry" is only covered when it's based on something other than photos, like in-person scans.
Donato rejected that argument as inconsistent with the law's purpose. "The statute is an informed consent privacy law addressing the collection, retention and use of personal biometric identifiers and information at a time when biometric technology is just beginning to be broadly deployed," he wrote. "Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology."
A different federal judge in Illinois recently sided against Shutterfly on the same question.
Facebook also unsuccessfully argued that the case should be dismissed because the company's terms of service provide that California law applies to all disputes. California doesn't have a law comparable to Illinois' biometric privacy measure.
But Donato said in the ruling that applying California law would run counter to a fundamental policy in Illinois. "If California law is applied, the Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with 'major national corporations' like Facebook, would be written out of existence," he wrote.
The judge noted that the case was still in an early stage, and that new facts might emerge that would affect the ultimate outcome.
Facebook isn't the only company accused of violating the Illinois privacy law. Google also is facing a similar lawsuit for allegedly collecting faceprints in connection with Google Photos.