As discussed in a previous post on facial recognition technology, a putative class action has been filed against Facebook over the collection of “faceprints” for its online photo tagging function, Tag Suggestions. (See e.g., Licata v. Facebook, Inc., No. 2015CH05427 (Ill. Cir. Ct. Cook Cty. filed Apr. 1, 2015) (the case has been transferred to a San Francisco district court, Licata v. Facebook, Inc., No. 15-03748 (N.D. Cal. Consolidated Class Action Complaint filed Aug. 28, 2015)).
The plaintiffs claim that Facebook’s use of facial recognition technology to scan user-uploaded photos for its Tag Suggestions feature violates Illinois’s Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, and has been used to create, what the plaintiffs allege, is “the world’s largest privately held database of consumer biometrics data.”
Plaintiffs allege that Facebook extracts face geometry data (or faceprints) from user-uploaded photographs and retains such “biometric identifiers” within the meaning of the BIPA. The complaint alleges, among other things, that Facebook collected and stored biometric data without adequate consent. The complaint seeks an injunction and statutory damages for each violation (note: BIPA provides for $1,000 in statutory damages for each negligent violation, and $5,000 for intentional violations, plus attorney’s fees).
Last week, Facebook filed its motion to dismiss, arguing, among other things, that based on the choice of law provision in its terms of service, California, not Illinois, law should apply (thereby precluding users from bringing a claim under BIPA), and that, regardless, Section 10 of BIPA expressly “excludes both ‘photographs’ and ‘information derived from photographs’ from its reach.”
Those wanting a preview of the plaintiffs’ response to Facebook’s motion should look to a similar privacy action against Shutterfly currently being litigated in Illinois federal court. (See Norberg v. Shutterfly, Inc., No. 15-05351 (N.D. Ill. filed June 17, 2015)). There, the plaintiff brought claims under BIPA against the photo storage service Shutterfly for allegedly collecting faceprints from user-upload photos for a tag suggestion feature without express written consent and “without consideration for whether a particular face belongs to a Shutterfly user or unwitting nonuser.” In its motion to dismiss, Shutterfly, like Facebook, argued that scans of face geometry derived from uploaded photographs are not “biometric identifiers” under BIPA because the statute excludes information derived from photographs.
In his rebuttal, the plaintiff Norberg claimed if the intermediation of a photograph before processing face geometry excluded such data from the definition of a biometric identifier, then the statute would be meaningless:
“Defendants’ interpretation of the BIPA as inapplicable to face scans of photographs is contrary to the very nature of biometric technology and thus would undermine the statute’s core purpose. A photograph of a face is exactly what is scanned to map out the unique geometric patterns that establish an individual’s identity. Taken to its logical conclusion, Defendants’ argument would exclude all the biometric identifiers from the definition of biometric identifiers, because they are all based on the initial capture of a photograph or recording.”
We will be watching both disputes closely – if the suits are not dismissed on procedural or contractual grounds, this will be the first time a court will have the opportunity to interpret the contours of the Illinois biometric privacy statute with respect to facial recognition technology.