U.S. Markets closed

Judge Certifies Class of Illinois Facebook Users in Privacy Suit Over Facial Recognition

[caption id="attachment_5033" align="alignnone" width="620"] Facebook headquarters (Photo: Jason Doiy/ALM)[/caption] A federal judge in San Francisco has certified a class of Illinois Facebook users in a privacy lawsuit set to go to trial later this year, escalating the stakes in a lawsuit that could result in billions of dollars in damages against the social media giant. U.S. District Judge James Donato of the Northern District of California on Monday certified a class in a case brought against Facebook under the Illinois Biometric Information Privacy Act, or BIPA—a law governing the collection and storage of biometric indicators like fingerprints, facial features and iris scans. A Facebook spokesperson said Wednesday afternoon that the company was reviewing the decision. "We continue to believe the case has no merit and will defend ourselves vigorously," the spokersperson said. Plaintiffs claim that Facebook violated BIPA by collecting and storing Illinois users' biometric data without prior notice or consent through its "Tag Suggestions" tool—a feature launched in 2011 that prompts users to identify friends in pictures uploaded to the social media site. Donato in February rejected Facebook's bid to dismiss the suit, finding BIPA left “little question that the Illinois legislature codified a right of privacy in personal biometric information.” In Monday's decision, Donato found that not all photos uploaded to Facebook resulted in the collection of biometric data. The judge rejected a proposed class of all Illinoisians with an uploaded photo during the class period as "too amorphous and potentially over-inclusive to be certified." But Donato found a more narrowly defined class--consisting of users in Illinois for whom Facebook stored a "face template" after June 7, 2011--could help address two questions central to the case: "[D]id Facebook’s facial recognition technology harvest biometric identifiers as contemplated under BIPA, and if so, did Facebook give users prior notice of these practices and obtain their consent?" Donato noted that Facebook's lawyers at Mayer Brown put great emphasis on their argument that not all class members qualified "aggrieved" parties under BIPA. Donato, however, wrote that Facebook's lawyers "almost exclusively" relied on Rosenbach v. Six Flags Entertainment, a December 2017 decision from Second District Appellate Court of Illinois which held that plaintiffs must allege “actual harm” to get BIPA claims to stick. While Donato downplayed the persuasiveness of the Six Flags decision, calling it "a currently unpublished opinion by an intermediate court of appeals in Illinois," he posited that the Illinois court likely would have found actual harm in the Facebook case. The Six Flags case, he noted, involved a season pass program where the amusement park clearly disclosed that it was collecting customer fingerprints to speed admissions. Donato wrote "an express request for a fingerprint scan is a far cry from the situation here, where plaintiffs plausibly argue that simply using Facebook or reading Facebook’s user policy did not put them on notice that Facebook was collecting their biometric data." The ruling sets up a high-stakes trial in the case, which is scheduled to begin in July. BIPA carries statutory damages of $1,000 for each negligent violation, and $5,000 for those that are “intentional and reckless.” Jay Edelson of Edelson PC, one of the lead lawyers for plaintiffs in the cases, declined to comment. Shawn Williams of Robbins Geller Rudman & Dowd, who also represents the plaintiffs, said he was "very pleased" with the "detailed and thorough opinion."