Is Facebook Violating Your Privacy Rights?

A woman browsing the web on an iPadIs Facebook violating your privacy rights? If you live in Illinois and upload your picture to Facebook, the answer may be “yes.”

Facebook launched a “Tag Suggestions” feature in 2010 that is meant to encourage users to tag photographs. A “tag” links a person in a photograph posted to Facebook to that person’s Facebook profile. “Tag Suggestions” uses facial recognition software to compare faces in uploaded photographs to other faces on Facebook in an attempt to associate those faces with Facebook profiles. If the software matches a face to a Facebook user, it will suggest that the photograph be tagged with the user’s name.

Lawsuit Alleges Privacy Violation

A federal class action lawsuit in the Northern District of California alleges that Facebook’s use of facial recognition technology violates the Illinois Biometric Information Privacy Act (BIPA). That law prohibits companies from gathering biometric data from consumers without their permission. Specifically, the law prohibits a company from gathering biometric information concerning a person unless it first:

  • informs the person in writing that it is collecting and storing biometric information;
  • informs the person in writing of the specific purpose and length of time for which the information is being collected, stored, and used; and
  • receives a written release from the person authorizing the collection, storage, and use of the person’s biometric information.

The same law requires companies that collect biometric information to make available a written policy establishing a retention schedule and guidelines for the permanent destruction of the information it collects. Biometric information to which the law applies includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

Facebook Registrants Are Bound By Its Terms of Service

Facebook asked the court to dismiss the lawsuit on the ground that a “choice of law” provision in its user agreement requires claims against Facebook to be governed by California law. The plaintiffs who brought the lawsuit argued that they did not agree to Facebook’s terms of use. Yet when they registered for Facebook, they all checked a box confirming that they had “read and agreed to” Facebook’s Terms of Use and Privacy Statement.

The common understanding that website users almost never read the site’s terms of use did not alter the court’s conclusion that the plaintiffs entered into a valid contract with Facebook. While courts tend to be skeptical of “browsewrap” agreements (the user is told that “by using this website you agree to our terms of service”), courts usually enforce “clickwrap” agreements (the user clicks a box verifying that the user agrees to abide by the terms of service). Despite the court’s concerns that a single click next to a statement referring to hyperlinked terms might bind users to terms that the user never saw, the court followed precedent by holding that the plaintiffs agreed to follow Facebook’s terms of use.

Facebook Cannot Shield Itself From BIPA

The class action was commenced in federal court in Illinois on behalf of Illinois residents. It was later transferred to a federal court in California pursuant to a clause in the terms of use that requires claims against Facebook to be resolved in California.

The terms of use also stated that California law should apply to claims against California. Facebook argued that BIPA, an Illinois law, could not be enforced in California. The district court disagreed.

While parties to a contract are generally free to select the state law that will govern the contract, states have strong interests in having their laws enforced. A court is unlikely to accept the parties’ agreement to be bound by the law of a state if doing so would be contrary to a fundamental policy of the state in which a contract was made. In deciding whether to enforce a choice of law agreement, the court will also consider which state has a greater interest in the determination of the case.

Here, the choice is between California law, which has not enacted its own version of BIPA, and Illinois, which has. The district court decided that Illinois has a stronger interest in the resolution of the dispute than does California. While California has a general interest in enforcing contracts, Illinois has a specific interest in enforcing BIPA.

The Illinois law is intended to protect people in Illinois from the unconsented collection of their biometric data. The law implements a fundamental policy that the Illinois legislature expressly deemed “substantial.” The law is intended to protect privacy interests, to safeguard website users from identity theft, and to avoid the misuse of biometric data that is collected without consent. Large corporations like Facebook are exactly the kind of biometric information collectors that the law is intended to target.

Allowing Facebook to circumvent BIPA by requiring Illinois Facebook users to be bound by California law would defeat a fundamental protection that the State of Illinois gives to its residents. As the district court noted, applying California law would write the Illinois law out of existence. The court refused to do so and accordingly denied Facebook’s motion to dismiss the lawsuit.

Implications of Court’s Ruling

Plaintiffs who prevail in a BIPA lawsuit can collect $1,000 for each negligent violation, or $5,000 for each reckless or intentional violation, as well as attorney’s fees. As of March 2011, Illinois reportedly had nearly 7 million Facebook users.

The lawsuit alleges that Facebook, with more than one billion worldwide users, has “secretly amassed the world’s largest privately held database of consumer biometric data.” Although Texas and Connecticut have joined Illinois in enacting biometric data protection laws, the remaining 47 states have no law protecting biometric data. As other states consider protecting the privacy of biometric information, Facebook may face additional liability if it does not modify its use of facial recognition software. Facebook may need to make its facial recognition tagging software an optional feature that Facebook members may implement only after they are told of its existence and expressly consent to its use.

comments powered by Disqus

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential

Call us today for a free consultation (855) 466-5776