On February 26, 2021, Judge James Donato of the U.S. District Court for the Northern District of California granted final approval of a proposed $650 million settlement in a biometric privacy class action lawsuit brought against Facebook. In re Facebook Biometric Information Privacy Litigation, Case No. 3:15-cv-03747-JD, Dkt. No. 537 (N.D. Cal. Feb. 26, 2021). The long-running litigation began in 2015, when class members alleged that Facebook collected and stored digital scans of their faces without prior notice or consent in violation of Sections 15(a) and 15(b) of the Illinois Biometric Information Privacy Act (“BIPA” or “the Act”), 740 Ill. Comp. Stat. 14/1 et seq. (2008).
In the consolidated class action complaint, the class members alleged that Facebook created a program in 2010 called “Tag Suggestions.” Dkt. No. 40 at 2. According to the complaint, Tag Suggestions works by scanning photographs uploaded by a user and then identifies faces appearing in those photographs. Facebook suggests that any individuals that Tag Suggestions recognizes be automatically tagged. The complaint alleged that “Tag Suggestions uses proprietary facial recognition software to extract from user-uploaded photographs the unique biometric identifiers (i.e., graphical representations of facial features, also known as facial geometry) associated with people’s faces” and that Facebook “does not disclose its biometrics data collection to its users, nor does it even ask users to acknowledge, let alone consent to, these practices.”
As put by the Supreme Court of Illinois, BIPA “was enacted in 2008 to help regulate ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’” Rosenbach v. Six Flags Entm’t Corp., 129. N.E.3d 1197 (Ill. 2019) (citing 740 Ill. Comp. Stat. 14/5(g)).
The class members brought two separate causes of action against Facebook. First, the class members alleged violation of Section 15(a)’s requirement that any “private entity in possession of biometric identifiers . . . must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers . . . when the initial purpose for collecting or obtaining such identifiers . . . has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. 740 Ill. Comp. Stat. 14/15(a).
Second, the class members alleged that Facebook’s collection, storage, and use of the class’s biometric identifiers, without notice or consent, violated Section 15(b). Section 15(b) makes it unlawful for any private entity to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier . . . unless it first: (1) informs the subject . . . in writing that a biometric identifier . . . is being collected or stored; (2) informs the subject . . . in writing of the specific purpose and length of term for which a biometric identifier . . . is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier . . . .” 740 Ill. Comp. Stat. 14/15(b).
As part of the settlement, Judge Donato wrote, Facebook will require users to opt in to the “Face Recognition” setting and “will delete all existing and stored face templates for class members unless Facebook obtains a class member’s express consent after a separate disclosure about how Facebook will use the face templates.” Dkt No. 537 at 3. Facebook will also delete the face templates of any class members who have been inactive for three (3) years. Id. Facebook’s product manager testified under oath at the preliminary approval hearing that the change to the default “Face Recognition” setting would not just be in Illinois or in the United States – but global. Id.
The $650 million settlement showcases Illinois’ BIPA as a powerful and effective tool for private plaintiffs to protect the privacy rights they have with respect to their biometric data. On the other hand, the large payout demonstrates the importance for companies that collect biometric data to ensure compliance with the Act’s requirements.