Those on Facebook know the site is quite good at recognizing others in posted photos and suggesting friends to tag. Most click on the tag suggestion and move on with little to no thought on just how this happens behind the scenes. A class action filed in the Northern District of California will be allowed to proceed to consider whether Facebook’s behind-the-scenes face-recognition technology violates Illinois’ Biometric Information Privacy Act (BIPA). Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019).
Nimesh Patel, individually and on behalf of all others similarly situated, filed a purported class action against Facebook alleging Facebook subjected the named plaintiffs and the purported class to facial-recognition technology without complying with BIPA, which is intended to safeguard their privacy. BIPA, 740 ILCS 14/1 et seq. (2008), prohibits the collecting, using, and storing of biometric identifiers, including a “scan” of “face geometry”. Plaintiffs alleged Facebook used scans of their photos without obtaining a written release and without establishing a compliant retention schedule.
For years, Facebook has allowed its users to “tag” their Facebook friends in photos. In 2010, Facebook launched a feature called “Tag Suggestions.” This feature uses facial-recognition technology to analyze whether the user’s Facebook friends are in photos and then “suggest” a tag. It does so by scanning the photo, extracting various geometric data points that make a face unique, and creating a face signature or map. It then compares the face signature to other faces in Facebook’s database and matches it to other user profiles. These user templates are stored on Facebook servers in nine data centers, none of which is in Illinois. The named Plaintiffs are all Illinois residents who uploaded photos to Facebook while in Illinois. Facebook created and stored face templates for each of them.
Facebook moved to dismiss the complaint for lack of standing on the ground that the Plaintiffs had not alleged any concrete injury. Plaintiffs, in turn, moved to certify the class. The district court denied the Motion to Dismiss and certified a class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.”
On appeal of the standing issue, the 9th Circuit noted standing is established where a plaintiff has suffered an “injury-in-fact” defined as an invasion of a legally protected interest which is: (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical. It is not enough for a plaintiff to allege that a defendant has violated a statutory right without also showing that the plaintiff suffered a concrete injury-in-fact due to the statutory violation.
In terms of BIPA, the appellate court noted that the Illinois General Assembly found that the development and use of biometric data presents risks to Illinois’ citizens. Citing to the Illinois Supreme Court’s opinion in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186, which we previously discussed here, the court concluded that the statutory provisions at issue in BIPA were established to protect an individual’s “concrete interests” in privacy, not merely his procedural rights related to how his biometric information was stored and used.
The question then became whether the specific statutory violations alleged by the Plaintiffs in this case actually harmed or presented a material risk of harm to such privacy interests. The relevant conduct according to Plaintiffs was Facebook’s collection, use and storage of biometric identifiers without a written release and a failure to maintain a retention schedule or guidelines for destroying biometric identifiers. Plaintiffs asserted this allows Facebook to create and use a face template and retain it indefinitely. The court noted that because the privacy right protected by BIPA is the right not to be subject to such collection and use, Facebook’s alleged violation would necessarily violate the Plaintiffs’ substantive privacy interests. It concluded, therefore, that Plaintiffs have alleged a concrete injury-in-fact sufficient to confer standing.
On the class certification issue, Facebook argued the district court erred in certifying the class because the Illinois legislature did not intend for BIPA to have extraterritorial effect. Because Facebook’s collection, storage, and template creation took place on its serves outside Illinois, Facebook argued the district court would have to consider whether each relevant event took place inside or outside Illinois. The Court of Appeals disagreed. It is reasonable to infer that the General Assembly contemplated BIPA’s application to individuals located in Illinois, even if some relevant events occurred outside the state. The court held that these are threshold questions of BIPA’s application which can be decided on a class-wide basis.
Facebook also argued that the possibility of a large class-wide statutory damages award defeats the superiority requirement for a class action. Again, the appellate court disagreed. The question of whether the potential for enormous liability can justify a denial of class certification depends on legislative intent. Here, there is nothing in BIPA’s text or legislative history indicating a large statutory damages award would be contrary to the intent of the Illinois General Assembly. The court, therefore, affirmed the district court’s order certifying the class.
The law surrounding BIPA continues to develop, which is unsurprising considering the speed with which relevant technological capabilities develop. With this opinion, the extraterritorial reach of BIPA is established and may well lead to more litigation outside the confines of the Illinois state and federal courts.