As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq.  While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.

There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming.  Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side.   (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)).  The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds). 

On May 29, 2018, the trial judge again attempted to spur the matter onto trial when it denied Facebook’s request to stay the proceedings while it seeks interlocutory review from the Ninth Circuit of the court’s order certifying a class for trial.  Read together with these prior rulings, the court’s latest decisions had the overarching tone of “Enough already.”  However, on the same day, the Ninth Circuit issued a one-page order agreeing to accept Facebook’s interlocutory appeal of the trial court’s order granting class certification and stay the lower court proceedings (Patel v. Facebook, Inc., No. 18-80053 (9th Cir. May 29, 2018)).  As a result, the July trial date has been vacated and we will be watching how the Ninth Circuit examines the class certification issue, which may prompt the appeals court to look anew at certain hotly-contested procedural arguments that have already been the subject of multiple motions in the lower court.

Some Noteworthy Aspects of the May 14th Ruling Denying Summary Judgment

  • “Actual” Injury: The lower court again rebuffed Facebook’s interpretation of the Illinois appellate court decision in Rosenbach that a litigant had to “prove something more than a violation of BIPA’s notice-and-consent provisions” to prevail – that is, show an “actual” injury beyond the invasion of privacy rights outlined under BIPA.  The court noted that it had already “expressly rejected” this argument in its April decision, finding Rosenbach did not carry as much weight as Facebook suggests because that particular plaintiff failed to plead any harm or injury to a privacy right, as opposed to the instant case where the plaintiffs “sufficiently alleged” an intangible injury.
  • Face Scanning Technology: The court found too many factual disagreements about Facebook’s face recognition functions to warrant a ruling on summary judgment to either party.  Plaintiffs’ case rests largely on whether Facebook collects and stores “scans of face geometry” as envisioned under BIPA (the definition of “biometric identifiers” under BIPA includes “scan[s] of . . . face geometry”), and the parties have advanced conflicting interpretations of how the software at issue processes human faces from photographs.  Plaintiffs argued that the technology collects scans of face geometry because it uses human facial regions to process and recognize face images. Facebook countered that the technology is not reliant on human facial features but uses machine learning techniques that analyze all of the pixels in a face image and not any particularly human feature to accomplish facial recognition (according to Facebook’s expert, the technology would still calculate a “face signature’” even if provided with an image of something other than a face).   Facebook even argued that the BIPA statutory term “scan” in “scan of face geometry” necessarily connotes an express measurement of human facial features, and that its technology does not scan face geometry. However, the court ruled that the term “scan” does not necessarily demand “actual or express measurements” and that genuine issues of fact over Facebook’s facial recognition technology would need to be resolved at trial.
  • BIPA Photograph Exclusion: The court reiterated that it had already considered at an earlier stage and rejected Facebook’s argument that BIPA regulates only in-person or “live” scans of facial geometry, and that information derived from photographs, whether analog or digital, is categorically excluded from the statute.
  • Dormant Commerce Clause: The court rejected Facebook’s argument that subjecting it to BIPA would violate the dormant commerce clause, which applies when a state tries to regulate economic conduct wholly outside its borders with the goal of protecting local businesses from out-of-state competition (note: Facebook claims that it processes facial recognition on servers outside the state of Illinois).  The court found enough of a local focus to turn away the argument: “This lawsuit is under an Illinois state statute on behalf of Illinois residents who used Facebook in Illinois.”  Interestingly, the court stated that evidence showed that Facebook can activate or deactivate features for users in specific states when it wants to do so, presumably using geoblocking technology, and thus Facebook would not have to change it practices with respect to users in other states to comply with BIPA.

Looking Ahead 

The Ninth Circuit will soon review the lower court’s April 2018 class certification order (note: the class consists of Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011).  While a full discussion of the class issues is beyond the scope of this blog post, generally speaking plaintiffs must show, among other things, that there are questions of law or fact common to class members that predominate over any questions affecting only individual members. As seen in the lower court’s decision, the class certification analysis has some overlap with the merits of the plaintiff’s underlying claim, and it is here where the Ninth Circuit’s decision may be interesting.  While the parties agreed that the basic question of whether Facebook’s facial recognition technology collected biometric identifiers as contemplated under BIPA and whether Facebook followed the requisite notice and consent practices reached the entire class, Facebook had objected to the certification because it believed certain legal issues were not common to the class.  Most notably, Facebook contended the issue of whether a class member is “aggrieved” as that word is used in BIPA, which grants a private right of action only to “persons aggrieved” under it, can be resolved only by individualized evidence and not on a class basis.  As such, it seems that the Ninth Circuit may undertake its own review of the Rosenbach decision and whether BIPA’s use of the term “aggrieved” requires injury or harm beyond the alleged statutory violation.  The Ninth Circuit may also rule on Facebook’s tangential arguments of extraterritoriality and whether the location of Facebook’s servers may be dispositive about whether the bulk of circumstances surrounding the face scanning occurred within Illinois.

Whatever the outcome, the appeals court’s decision will certainly influence other ongoing biometric privacy litigation over photo tagging practices, and perhaps even the BIPA-related litigation occurring in Illinois state courts against employers and businesses that use biometric technology for customer and employee authentication.  We will continue to follow these important developments in this area.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jeffrey Neuburger Jeffrey Neuburger

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise…

Jeffrey Neuburger is co-head of Proskauer’s Technology, Media & Telecommunications Group, head of the Firm’s Blockchain Group and a member of the Firm’s Privacy & Cybersecurity Group.

Jeff’s practice focuses on technology, media and intellectual property-related transactions, counseling and dispute resolution. That expertise, combined with his professional experience at General Electric and academic experience in computer science, makes him a leader in the field.

As one of the architects of the technology law discipline, Jeff continues to lead on a range of business-critical transactions involving the use of emerging technology and distribution methods. For example, Jeff has become one of the foremost private practice lawyers in the country for the implementation of blockchain-based technology solutions, helping clients in a wide variety of industries capture the business opportunities presented by the rapid evolution of blockchain. He is a member of the New York State Bar Association’s Task Force on Emerging Digital Finance and Currency.

Jeff counsels on a variety of e-commerce, social media and advertising matters; represents many organizations in large infrastructure-related projects, such as outsourcing, technology acquisitions, cloud computing initiatives and related services agreements; advises on the implementation of biometric technology; and represents clients on a wide range of data aggregation, privacy and data security matters. In addition, Jeff assists clients on a wide range of issues related to intellectual property and publishing matters in the context of both technology-based applications and traditional media.