Is Facebook Violating Your Privacy Rights?
Is Facebook violating your privacy rights? If you live in Illinois and upload your picture to Facebook, the answer may be “yes.”
Facebook launched a “Tag Suggestions” feature in 2010 that is meant to encourage users to tag photographs. A “tag” links a person in a photograph posted to Facebook to that person’s Facebook profile. “Tag Suggestions” uses facial recognition software to compare faces in uploaded photographs to other faces on Facebook in an attempt to associate those faces with Facebook profiles. If the software matches a face to a Facebook user, it will suggest that the photograph be tagged with the user’s name.
Lawsuit Alleges Privacy Violation
A federal class action lawsuit in the Northern District of California alleges that Facebook’s use of facial recognition technology violates the Illinois Biometric Information Privacy Act (BIPA). That law prohibits companies from gathering biometric data from consumers without their permission. Specifically, the law prohibits a company from gathering biometric information concerning a person unless it first:
- informs the person in writing that it is collecting and storing biometric information;
- informs the person in writing of the specific purpose and length of time for which the information is being collected, stored, and used; and
- receives a written release from the person authorizing the collection, storage, and use of the person’s biometric information.
The same law requires companies that collect biometric information to make available a written policy establishing a retention schedule and guidelines for the permanent destruction of the information it collects. Biometric information to which the law applies includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
Facebook Registrants Are Bound By Its Terms of Service
Facebook Cannot Shield Itself From BIPA
While parties to a contract are generally free to select the state law that will govern the contract, states have strong interests in having their laws enforced. A court is unlikely to accept the parties’ agreement to be bound by the law of a state if doing so would be contrary to a fundamental policy of the state in which a contract was made. In deciding whether to enforce a choice of law agreement, the court will also consider which state has a greater interest in the determination of the case.
Here, the choice is between California law, which has not enacted its own version of BIPA, and Illinois, which has. The district court decided that Illinois has a stronger interest in the resolution of the dispute than does California. While California has a general interest in enforcing contracts, Illinois has a specific interest in enforcing BIPA.
The Illinois law is intended to protect people in Illinois from the unconsented collection of their biometric data. The law implements a fundamental policy that the Illinois legislature expressly deemed “substantial.” The law is intended to protect privacy interests, to safeguard website users from identity theft, and to avoid the misuse of biometric data that is collected without consent. Large corporations like Facebook are exactly the kind of biometric information collectors that the law is intended to target.
Allowing Facebook to circumvent BIPA by requiring Illinois Facebook users to be bound by California law would defeat a fundamental protection that the State of Illinois gives to its residents. As the district court noted, applying California law would write the Illinois law out of existence. The court refused to do so and accordingly denied Facebook’s motion to dismiss the lawsuit.
Implications of Court’s Ruling
Plaintiffs who prevail in a BIPA lawsuit can collect $1,000 for each negligent violation, or $5,000 for each reckless or intentional violation, as well as attorney’s fees. As of March 2011, Illinois reportedly had nearly 7 million Facebook users.
The lawsuit alleges that Facebook, with more than one billion worldwide users, has “secretly amassed the world’s largest privately held database of consumer biometric data.” Although Texas and Connecticut have joined Illinois in enacting biometric data protection laws, the remaining 47 states have no law protecting biometric data. As other states consider protecting the privacy of biometric information, Facebook may face additional liability if it does not modify its use of facial recognition software. Facebook may need to make its facial recognition tagging software an optional feature that Facebook members may implement only after they are told of its existence and expressly consent to its use.