On February 26, 2021, Facebook was ordered to pay $650 million for violating Illinois State privacy laws. More than 1.6 million state residents are expected to receive at least $345 each in a ruling made at a California federal court in the settlement.
The cumulative settlement amount was $100 million more than what Facebook had initially proposed in 2020. According to the presiding judge, $550 million was inadequate to compensate all the injured victims when the tech giant infringed on their privacy rights by collecting and using facial recognition data without their consent.
What was the Illinois Facebook lawsuit all about, and what does it mean for privacy laws in the country going forward? Here’s everything you need to know about it.
Facebook Biometric Lawsuit – The Genesis
On April 1, 2015, Carlo Licata proposed a class-action lawsuit against Facebook. He argued that the tech giant had violated Illinois state law, which requires residents to provide explicit consent before third parties can use their biometric information.
In the suit filed in the Cook County court, Licata alleged that he and countless other Illinois residents had suffered grievous harm under Facebook’s “Tag Suggestions” feature.
The functionality operates on powerful facial recognition technology and runs without the consent of those being tagged in the photos.
The complaint states, in part, that the proprietary facial recognition software raises issues of privacy with biometrics. The tech giant actively hid the fact that its Tag Suggestion feature scans users’ uploaded photos, extracts unique biometric markers from them, and uses it to locate them in other pictures uploaded by users on the platform to determine who they are.
In the complaint, Licata further asserted that Facebook had failed to disclose the extent of its biometric data collection practices in its privacy policies and failed to prompt users to acknowledge the aforementioned practices.
The company merely “hinted” at the fact that the Tag Suggestions feature used facial recognition software on remote parts of the social platform.
This effectively left millions of Facebook users in the dark about the true nature of the technology, all the while secretly amassing the world’s largest collective database of consumer biometrics information.
Licata petitioned the court to declare that the tech giant was in gross violation of the Illinois Biometric Information Privacy Act, order the company to cease the illicit practice, and award statutory damages in a Facebook privacy lawsuit that was yet to be certified.
Facebook Privacy Issues
While some users of the social site probably don’t mind the tagging feature, others may have huge reservations against it and have likely suffered enormous embarrassment as a result of auto-tagging.
Although Facebook’s privacy-related default settings did give users the option to opt-out of the automated tagging feature, it was still not consistent with Illinois privacy laws, which require users to provide opt-in consent for the collection of their data.
Biometric Information Privacy Act of 2008
The Biometric Information Privacy Act (BIPA) was enacted by the Illinois General Assembly in 2008 to address the risks associated with the collection of biometric data, including facial identifiers, voiceprints, fingerprints, retinal scans, etc.
In the wrong hands, such sensitive biological information gives individuals with sinister motives a permanent biological identifier for the victim. This increases the likelihood of identity theft.
BIPA addresses four principal points of concern:
This means that any private entity that intends to collect any form of biometric information on an individual needs to inform the person in question that their data is being collected, why it’s being collected, and for how long the collection process will go on. The person then has to consent to the collection of their biometric data and notably provide a written release.
BIPA goes a step further to impose five key obligations to ensure that the privacy rights of Illinois state residents are protected.
1. Data Retention and Destruction Policy
Any private entity in possession of biometric data is obligated to develop a written policy that’s widely available to the public, establishing data retention guidelines and timelines for the permanent destruction of the biometric data they collect.
2. Written Release
Any private entity obtaining biometric data is prohibited from doing so without informed, written consent for the individual(s) in question.
3. Ban on Profiting
The provisions of BIPA prohibit private entities from selling, trading, or leasing any biometric information in their possession even with express consent from its owners. Entities cannot use the information they collect for profit-making activities.
4. Disclosure Restrictions
The law bars private entities from disclosing, re-disclosing, or otherwise disseminating biometric information in their possession unless they obtain consent or provide disclosure if the data is required for specific purposes.
For instance, disclosure would be necessary under a valid subpoena, warrant, or any other reason required by law. It would also be necessary for the completion of a financial transaction.
5. Security Requirements
BIPA requires private entities in possession of biometric data to institute what it deems to be a “reasonable standard of care” applicable to the existing guidelines and regulations of the industry they operate in.
The law compels private entities to use the same (if not higher) standards of data protection in the same way they do for other sensitive information in their possession, including Social Security numbers, account numbers, passcodes, etc.
Perhaps the most striking aspect of BIPA has to be the inclusion of a Private Right of Action clause. This allows any Illinois resident who suffers injuries at the hands of private entities that violate BIPA to recover damages “for each violation.” This includes:
- Up to $1,000 worth of actual/liquidated damages (whichever is greater) for negligent violations
- Up to $5,000 worth of actual/liquidated damages (whichever is greater) for reckless or intentional violations
- Applicable attorney’s fees and litigation expenses, including expert witness fees
- Any other available relief, including an injunction
Despite its enactment in 2008, it was only until 2015 that plaintiffs began to file related lawsuits, with most cases filed between 2017 and 2019.
The court rulings in these periods, including that of the Facebook lawsuit, have set a new precedent in privacy laws and given potential plaintiffs an idea of whether their cases are viable.
Facebook Lawsuit Settlement
Even though Facebook maintained its stance, denying that it did anything wrong, the tech company went ahead to participate in settlement negotiations.
In January 2020, the company offered to pay $550 million in the settlement. This, however, was rejected by the presiding judge, who stated that the payouts to the plaintiffs would be too low.
The existing provisions of BIPA allow for damages to be paid to aggrieved individuals even in instances where no actual harm can be substantiated.
The fact that BIPA permits the payout of damages to the tune of $1,000 to $5,000 for each Facebook privacy violation would see the tech company pay an estimated $47 billion in compensation.
This would amount to a $5,000 payout for each plaintiff or the maximum payable amount in damages allowed by BIPA.
On February 26, 2021, the presiding federal judge approved a $650 million settlement in the class-action suit. Class members were required to fill in a Facebook class action lawsuit claim form by November 23, 2020, to qualify for a payout.
What It Means for the Future Biometric Cases
Facebook privacy concerns have attracted a lot of skepticism from the public. Political and social pushback against the unauthorized collection and use of biometric data continues to mount as companies like Amazon, Microsoft, and IBM pledging to deny or limit law enforcement access to their technology.
US lawmakers have gone a step further to introduce a federal bill that would prohibit the use of facial recognition technology by federal law enforcement agencies.
If enacted, the Facial Recognition and Biometric Technology Moratorium Act would make it illegal for federal agencies and officers alike to acquire, access, possess, or use any technology designed for biometric surveillance.
The proposed legislation comes at a time when the police use of facial recognition software has come under increased scrutiny. Several studies have repeatedly shown that facial recognition technology is significantly less accurate for Black people.
For instance, on June 20, 2020, Robert Julian-Borchak Williams, an African-American man, was wrongfully arrested based on a flawed match from a faulty facial recognition system.
With some government agencies and private companies taking measures to enhance biometric data protections, other entities are expanding the scope of the use of such technology. Apple, for instance, uses facial recognition as a security tool in iPhones.
With the recent Facebook settlement, more lawsuits targeting biometric data collection continue to be filed, invoking BIPA in addition to other existing privacy laws.
The biggest test for these cases will be how viable the lawsuit is under BIPA, based on whether the prospective defendants’ actions were within statutory requirements.
As far as biometric data storage goes, compliance experts working in the cybersecurity sector would be best placed to establish what constitutes “reasonable care” and whether or not prospective defendants met that standard.
If the defendants in question failed on that front, the issue becomes whether the failure was intentional/reckless or negligent. The amount in damages awarded by the court depends on which of the two categories the defendants’ actions fall under.
48 States Sue Facebook
In a recent turn of events, the US government, through the Federal Trade Commission, and 48 states, through their respective attorneys general, filed antitrust lawsuits against Facebook.
The parallel suits filed on December 9, 2020, seek to break up Facebook over charges of engaging in illicit, anti-competitive strategies to bully, buy, and crush its smaller competitors.
According to the suits, the company has repeatedly abused its market dominance by creating a monopoly and killing off competition.
Facebook’s Acquisition of Instagram and WhatsApp
The tech giant’s hunger for total market dominance was seen in the company’s 2012 acquisition of the then-newcomer rival, Instagram, as well as that of the mobile messenger, WhatsApp, in 2014.
When the company CEO Mark Zuckerberg, quickly realized that Instagram, a vibrant new photo-sharing network posed an existential threat to the tech behemoth, the company decided to buy it for $1 billion rather than compete with it.
The complaint states, in part, that the purchase decision made by Facebook now makes it more difficult for any other social networking competitor to gain any form of traction in the tech space.
Two years after that, Facebook identified WhatsApp as a global niche leader in mobile messaging and decided to buy it for $19 billion to quash it.
The company has also been accused of imposing anti-competitive conditions on software developers to maintain its existing market dominance.
Facebook only made key application programming interfaces (APIs) available to third-party software developers, with the stipulation that they could not develop competing functionalities for other social media platforms. It was the only way these software developers could build apps that connect to Facebook.
The lawsuit seeks a permanent injunction in federal court requiring:
- The company’s divestiture of the assets it currently holds, namely Instagram and WhatsApp messenger
- The prohibition of the company from imposing conditions on software developers that would be considered anti-competitive
- The compulsion of social media giants to issue a notice of and seek approval for all mergers and acquisitions in the future
The major problem with Facebook’s aggressive “buy-or-crush” tactics is that users who have justifiable privacy concerns about their data usage have no choice but to keep using the company’s services as-is. According to the state attorneys general, that’s the danger of a monopoly.
A Tough New Reality for Big Tech
The landmark Illinois BIPA law now provides a solid framework for other states to come up with similar privacy protection laws.
With legislative, state, and federal-level regulators now proposing tough new measures to rein in big tech using aggressive legislation, companies like Facebook will have no choice but to do business on a state-by-state basis.
That is if they want to avoid getting slapped with similar lawsuits in the future. The Illinois Facebook lawsuit has certainly set a new precedent in privacy laws in different states across the country.
Got any legal questions for us? Chat online with a Laws101 attorney today.