• by Wendy Davis  @wendyndavis, April 1, 2022

In a partial defeat for Facebook parent Meta, a judge ruled Thursday that non-Facebook users who reside in Illinois can proceed with a claim that the company violated a state biometric privacy law.

U.S. District Court Judge James Donato in the Northern District of California specifically ruled that the company must face allegations that it compiled faceprints of Illinois residents, but failed to post a written data retention policy.

But Donato threw out a claim that Facebook collected the faceprints of Illinois non-users without their consent, ruling that even if the allegations were true, Facebook lacked a practical means of contacting non-users to obtain their consent.

The decision stems from a class-action complaint brought against Facebook in 2018 by Illinois resident Clayton Zellmer.

He alleged that Facebook's face-tagging system violated the Illinois Biometric Privacy Act, which regulates companies' collection and storage of voiceprints, scans of facial geometry, retina scans and other biometric data. Among other requirements, the Illinois law obligates companies to obtain state residents' consent before collecting biometric data, and to make available a written data-destruction policy.

Zellmer's lawsuit centered on Facebook's former practice of scanning photos in order to identify the people depicted. The company rolled out facial recognition in late 2010, when it used technology to suggest people's names when they appeared in photos uploaded by friends. In 2018, the company also began using facial recognition to tell users when they appear in photos posted by other people.

Last November, Facebook said it would stop using facial-recognition technology.

Zellmer alleged that Facebook's system scanned all faces in photos -- users as well as non-users -- and then created facial templates that could be used to recognize anyone depicted in the photo.

Facebook declined to comment for this article, but argued in court papers that it was unable to identify non-users based on photos.

“Facebook does not create, save, or store templates for non-users who appear in photos,” Facebook argued in a motion seeking summary judgment in the case. “As a result, the face signatures derived from images of non-users like Mr. Zellmer cannot be -- and are not -- used to identify anyone.”

Donato said in his ruling that factual disputes over how Facebook handled faceprints of non-users couldn't be resolved without a trial.

He pointed to several examples, including that Facebook said it deleted “face signatures” if there was no match to an existing template, while Zellmer contended that Facebook stored biometric identifiers for later use.

“These are quintessential disputes of material facts that will require a trial to resolve.”

Facebook recently agreed to pay $650 million to settle a different class-action biometric privacy lawsuit brought by Illinois residents who used the social media platform.

The company is also facing a separate lawsuit over by Texas Attorney General Ken Paxton, who alleged earlier this year that Facebook violated that state's biometric privacy law by collecting residents' faceprints without their consent.