Whenever a company may be guilty of something, from petty neglect to grand deception, there's usually a class action lawsuit filed. But until a judge rules that lawsuit legitimate, the threat remains fairly empty. Unfortunately for Facebook, one major suit from 2015 has just been given that critical go-ahead.
The case concerns an Illinois law that prohibits collection of biometric information, including facial recognition data, in the way that Facebook has done for years as part of its photo-tagging systems.
BIPA, the Illinois law, is a real thorn in Facebook's side. The company has not only been pushing to have the case dismissed, but it has been working to have the whole law changed by supporting an amendment that would defang it — but more on that another time.
(Update: Although Facebook's own Manager of State Policy Daniel Sachs co-chairs a deregulatory tech council in the Illinois Chamber of Commerce that proposed the amendment, the company maintains that "We have not taken any position on the proposed legislation in Illinois, nor have we suggested language or spoken to any legislators about it." You may decide for yourself the merit of that claim.)
Judge James Donato in California's Northern District has made no determination as to the merits of the case itself; first, it must be shown that there is a class of affected people with a complaint that is supported by the facts.
For now, he has found (you can read the order here) that "plaintiffs' claims are sufficiently cohesive to allow for a fair and efficient resolution on a class basis." The class itself will consist of "Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011."
An earlier, broader class suggested by the plaintiffs included all Illinois users who appeared in a photograph on Facebook, but the judge, commendably, decided that this would include people who appeared in images but were not in fact recognized or recorded as face templates by the recognition systems. The more limited class will still amount to millions of people.
Facebook's attempt to discredit the suit, quibbling over definitions and saying the plaintiffs "know almost nothing" about the systems in question, did not go over well with the judge. "The deposition testimony by the named plaintiffs shows a perfectly adequate understanding of the case, and it clearly manifests their concerns about Facebook's treatment of personal biometric data," he writes.
Its suggestion that no "actual" harm was caused also fails to hold water: "As the Court has already found, there is no question that plaintiffs here has sufficiently alleged that intangible injury." Requiring "actual" injury would severely limit the reach of a rule like BIPA in Illinois, because, of course, the harm caused is one to one's privacy and security, not to one's body or wallet. Of course, the question of whether users consented to their "intangible injury" is yet to be settled, and may be a major crux in the case.
Facebook also tries the old chestnut of saying its servers aren't in Illinois, so Illinois law doesn't apply. "Contrary to Facebook's suggestion," writes Donato, "the geographic location of its data servers is not a dispositive factor. Server location may be one factor in the territoriality inquiry, but it is not the exclusive one."
Lastly and most absurdly, Facebook argued that to establish legitimacy it would be necessary to check which users' face templates were derived from scans of printed photographs instead of natively digital shots. "This too is unavailing," says Donato, citing a total lack of evidence presented by Facebook.
When contacted for comment, Facebook provided a simple statement:
We are reviewing the ruling. We continue to believe the case has no merit and will defend ourselves vigorously.
The case will go ahead as ordered, though as before, at a snail's pace.