Siding against Facebook, a federal judge has refused to dismiss a lawsuit accusing the company of violating an Illinois biometric privacy law by compiling a database of
"faceprints."
In a ruling issued Thursday, U.S. District Court Judge James Donato in San Francisco rejected Facebook's argument that the Illinois Biometric Privacy Information Act
doesn't apply to faceprints that are derived from photos. "Facebook’s contention that the statute categorically excludes from its scope all information involving photographs ... is
unpersuasive," Donato wrote.
The ruling stems from a 2015 lawsuit centered on Facebook's automatic photo-tagging feature, rolled out six years ago. That feature recognizes users' faces and
suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of users' photos.
The plaintiffs -- Carlo Licata, Adam Penzen
and Nimesh Patel -- allege in a potential class-action that Facebook's compilation of a faceprint database runs afoul of Illinois' biometric privacy law, That measure requires companies to obtain
written releases from people before collecting “face geometry” and other biometric data. The Illinois law, passed in 2008, also requires companies that gather biometric data to notify
people about the practice, and to publish a schedule for destroying the information.
Facebook argued that the case should be dismissed for several reasons. Among others, Facebook contended
that the Illinois law doesn't apply to faceprints derived from photos.
The Illinois law contains language excluding "photos" from the definition of "biometric identifiers." A separate
definition of "biometric information" appears to go further by also excluding any information derived from photos.
Facebook argued that those definitions mean that "face geometry" is only
covered when it's based on something other than photos, like in-person scans.
Donato rejected that argument as inconsistent with the law's purpose. "The statute is an informed consent privacy
law addressing the collection, retention and use of personal biometric identifiers and information at a time when biometric technology is just beginning to be broadly deployed," he wrote. "Trying to
cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the
face of emerging biometric technology."
A different federal judge in Illinois recently sided against Shutterfly on the same question.
Facebook also
unsuccessfully argued that the case should be dismissed because the company's terms of service provide that California law applies to all disputes. California doesn't have a law comparable to
Illinois' biometric privacy measure.
But Donato said in the ruling that applying California law would run counter to a fundamental policy in Illinois. "If California law is applied, the
Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with 'major national corporations' like Facebook, would be written out
of existence," he wrote.
The judge noted that the case was still in an early stage, and that new facts might emerge that would affect the ultimate outcome.
Facebook isn't the only
company accused of violating the Illinois privacy law. Google also is facing a similar lawsuit for allegedly collecting faceprints in connection with Google
Photos.