Judge OKs Class Action Status For Illinoisans Claiming Facebook Violated State Privacy Law

from the face-off dept

The last time we discussed Illinois’ Biometric Information Privacy Act, a 2008 law that gives citizens in the state rights governing how companies collect and protect their biometric data, it was when a brother/sister pair attempted to use the law to pull cash from Take-Two Interactive over its face-scanning app for the NBA2K series. In that case, the court ruled that the two could not claim to have suffered any actual harm as a result of using their avatars, with their real faces attached, in the game’s online play. One of the chief aspects of the BIPA law is that users of a service must not find their biometric data being used in a way that they had not intended. In this case, online play with these avatars was indeed the stated purpose of uploading their faces and engaging in online play to begin with.

But now the law has found itself in the news again, with a federal court ruling that millions of Facebook users can proceed under a class action with claims that Facebook’s face-tagging database violates BIPA. Perhaps importantly, Facebook’s recent and very public privacy issues may make a difference compared with the Take-Two case.

A federal judge ruled Monday that millions of the social network’s users can proceed as a group with claims that its photo-scanning technology violated an Illinois law by gathering and storing biometric data without their consent. Damages could be steep — a fact that wasn’t lost on the judge, who was unsympathetic to Facebook’s arguments for limiting its legal exposure.

Facebook has for years encouraged users to tag people in photographs they upload in their personal posts and the social network stores the collected information. The company has used a program it calls DeepFace to match other photos of a person. Alphabet’s cloud-based Google Photos service uses similar technology and Google faces a lawsuit in Chicago like the one against Facebook in San Francisco federal court.

Both companies have argued that none of this violates BIPA, even when this face-data database is generated without users’ permission. That seems to contradict BIPA, where fines between $1,000 and $5,000 can be assessed with every use of a person’s image without their permission. Again, recent news may come into play in this case, as noted by the lawyer for the Facebook users in this case.

“As more people become aware of the scope of Facebook’s data collection and as consequences begin to attach to that data collection, whether economic or regulatory, Facebook will have to take a long look at its privacy practices and make changes consistent with user expectations and regulatory requirements,” he said.

Now, Facebook has argued in court against this moving forward as a class by pointing out that different users could make different claims of harm, impacting both the fines and outcomes of their claims. While there is some merit to that, the court looked at those arguments almost purely as a way for Facebook to try to get away from the enormous damages that could potentially be levied under a class action suit, and rejected them.

As in the Take-Two case, Facebook is doing everything it can to set the bar for any judgement on the reality of actual harm suffered by these users, of which the company claims there is none.

The Illinois residents who sued argued the 2008 law gives them a “property interest” in the algorithms that constitute their digital identities. The judge has agreed that gives them grounds to accuse Facebook of real harm. Donato has ruled that the Illinois law is clear: Facebook has collected a “wealth of data on its users, including self-reported residency and IP addresses.” Facebook has acknowledged that it can identify which users who live in Illinois have face templates, he wrote.

We’ve had our problems with class actions suits in the past, but it shouldn’t be pushed aside that this case has the potential for huge damages assessed on Facebook. It’s also another reminder that federal privacy laws are in sore need of modernization, if for no other reason than to harmonize how companies can treat users throughout the United States.

Filed Under: , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Judge OKs Class Action Status For Illinoisans Claiming Facebook Violated State Privacy Law”

Subscribe: RSS Leave a comment
Mason Wheeler (profile) says:

There’s something very creepy going on with Facebook’s face-tagging system.

A few months back, when I got engaged to my girlfriend (now wife), I took a pic of her wearing the ring and put it up on FB. It immediately tagged the photo as being of her, but I honestly have no idea how, given that she only had one photo of herself on her profile, and it was a very poor-quality image, and also several years old; the face in that photo doesn’t look at all like what she looks like today. But somehow it identified her, and that kind of creeps me out.

Anonymous Coward says:

Told you kids for years that corporations have ZERO right to

collect and collate information! That when normal people find out what corporations are ACTUALLY doing that they may well drag executives out into the street and HANG them!

A day of reckoning is coming for GOOGLE too. The Public simply does not have to ALLOW corporations to do much spying / gain so much money in order to provide the services that we want.

This is likely to end up short of justice, though starts a good and continuing trend. (Facebook and Google affect billions of people every day, you know, this isn’t some distant theoretical violation.)

Anonymous Anonymous Coward (profile) says:

Re: Told you kids for years that corporations have ZERO right to

While I despise the collection of personal data by any company, or the government, your method of displaying your angst is not going to change anyone’s mind. Try your particular manner of speaking on your legislative representatives, see what it gets you. Try a more moderate tone, and see what that brings. It will take a whole lot more than just you making those calls, or written messages, maybe you could try to convince your friends (do you have any?) and neighbors to help. Remember, you get more with honey than with vinegar. Do you even know what that means, or how to do it? One gets the populace to move by informing them and convincing them, not by berating them. Look to folks like Dr. Martin Luther King or Mahatma Gandhi for examples.

WhereDoesThisGo says:

Lawsuit needs to proceed as class action

People are now aware of what happens to their data.

Companies with deep pockets and buildings of lawyers need to stop with the arbitration clauses and update their legal policies.

Current education on Data privacy has been working its way through people’s minds.

People are now aware of what happens to their data.

I am hoping for a huge win here through this class action.
Facebook can afford the fines, let’s not give comfort to the comforted.

At some point, I want a ruling akin to the antitrust against Microsoft.

Something that forces companies to change, to behave – Rulings that set an updated bar for the areas of law that haven’t caught up with the technology.

Rulings that help those that create legislation realize voters are knowledgeable, legislators have no more excuses.

Profit’s will still be there, the business model underlying those profits will be forced to change – a behavioral change.

Make your money, just do it on the up and up.

Anonymous Coward says:

I feel like the bad guy on Taken – “good luck.” The only thing that has been saving us are competing corporate interests and corrupt politicians punishing corporations not playing politics. How many copyright extensions have we given to Disney? How many government protected monopolies to Comcast and the cable industry? How much broadcast spectrum does ClearChannel own? The change we are getting is corporations realizing government is an effective tool for them. If you think we have politicians who care for the little guy over their own self interests, I’d say those days are gone. The only thing more government is going to do is give them a larger scale to tilt in their favor. I say remove the incumbent protections and let competition start again.

Sok Puppette (profile) says:

actual harm suffered by these users, of which the company claims there is none.

The creatures making that argument shouldn’t even be treated as human.

different users could make different claims of harm, impacting both the fines and outcomes of their claims.

That’s been true in every class action ever. The big problem with class actions is that they usually get settled for pennies. What judges need to do is to stop approving settlements that don’t really compensate people and only pay lawyers.

If the fines run between $1000 and $5000, then great, let’s average that and fine Facebook $3000 for each template created, each photo tag collected, and each attempted facial match. At a minimum, every match attempt is obviously a "use", so they shouldn’t get away with just getting fined per template.

We’ve had our problems with class actions suits in the past, but it shouldn’t be pushed aside that this case has the potential for huge damages assessed on Facebook.

Good. If it puts Facebook out of business, that will be a good thing for the world.

Furthermore, it would be good if there were individual liability for any user who ever "tagged" anybody in a Facebook photo without the "tagee’s" explicit consent.

Let’s not forget that the whole photo tagging and facial recognition thing is a fundamentally rotten thing to do, and that’s obvious to anybody who’s not an amoral piece of shit. Prison time for the people who built it would not be out of line.

John85851 (profile) says:

Tagging people

Here’s my story:
Sometimes my sister’s husband posts photos of their kids. Okay, nothing wrong with that.
But then when I see the photo in my timeline, Facebook asks me if I want to tag my sister in the photo.

Issue #1: Does my niece really look that much like my sister that Facebook thinks it’s her? We’re talking about a 10 year-old girl and her 40 year-old mom.

Issue #2: Why am I allowed to tag someone else’s photos if I’m not in it? I can understand tagging myself, but this is a photo posted by my brother-in-law (whom I’m friends with) of his kids. NO ONE else should be able to tag the photo.

Issue #3: If I click to tag my sister, Facebook will create a post on all of her friends’ timelines saying she was tagged in a photo, which will push the photo to a wider audience. I don’t know if this is what my brother-in-law intended when he posted the photo.

Facebook will probably claim this increases “social connections” or some such, but it just feels wrong to me.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...