Illinois residents who are suing Facebook over its facial recognition technology can proceed with their claims that the company is violating an Illinois privacy law, a federal judge ruled this week.
In the ruling, U.S. District Court Judge James Donato rejected Facebook's bid to dismiss on the grounds that the plaintiffs didn't suffer any concrete harms as a result of Facebook's photo-tagging feature.
The decision marked the latest defeat for Facebook in a privacy battle that dates to 2015, when several Illinois residents sued the company over its photo-tagging feature, which recognizes users' faces and suggests their names when they appear in photos uploaded by their friends. To accomplish this, Facebook draws on its vast store of users' photos. (The company recently unveiled new controls that allow people to opt out of having their photos recognized.)
The Illinois residents alleged that the automatic photo-tagging feature violates the Illinois Biometric Information Privacy Act -- a 2008 law that requires companies to obtain written releases from people before collecting “face geometry” and other biometric data.
Donato previously rejected Facebook's contention that the Illinois statute didn't apply to data gleaned from photos.
Facebook subsequently argued that the case should be dismissed on the grounds that none of the plaintiffs were harmed by auto-tagging. The company argued in court papers that none of the plaintiffs alleged that "they were identified in an embarrassing photo and therefore fired from their jobs," or that "they were victims of identity theft," or "caught in a compromising situation that adversely -- and concretely -- affected their relationships."
Donato rejected that argument, ruling that lawmakers in Illinois had decided that companies' collection of biometric information could cause harm.
"The Illinois legislature codified a right of privacy in personal biometric information," Donato wrote. He added that the Illinois law's procedural protections" are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers -- identifiers that cannot be changed if compromised or misused."
Donato added: "When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized."