Does Facebook Facial Recognition Violate the Law? Class Action Suit Moves Forward

The case against Facebook for use of biometric data is moving forward. An Illinois judge dismissed Facebook’s plea to toss it. The class action suit –ispotentially worth billions if successful. Illinois law can tag each violation with fines up to $5,000.

Illinois has a law called the Biometric Information Privacy Act. In short, the Act says businesses must get prior consent before collecting biometric data. Proponents argue that Facebook violates Illinois law by using facial recognition for photos.

If you are a Facebook user, you’ve no doubt had the experience where you go to post a picture and it somehow knows who is in it and suggests their name. The social network is accessing and storing the biometric data to accomplish this, which the suit says violates the Illinois law.

One of Facebook’s claims is that there has been no allegation of harm in the way it uses the data. Last month, however, an Illinois Appellate Court reversed a lower court ruling on a similar issue. A tanning salon in Illinois used fingerprint data and biometric identifiers for users to gain entry to the salon. The suit, Sekura v. Krishna Schaumburg Tan, Inc., claims the company stored the data, failed to provide disclosures and required written release, and disclosed the fingerprint information to a third-party vendor. The lower court had dismissed the suit on the grounds that there was no provable harm. The appellate court held that you can sue for a violation of the law without proving additional harm.

The Internet Association — which represents a range of some of the biggest names in tech — filed a friend-of-the-court brief supporting Facebook. The organization worries about the chilling effect the case could have on future tech developments.

“Biometric technologies serve many useful purposes in our society — from providing new authentication features that enhance security (like the ability to unlock one’s phone with a fingerprint), to facilitating the organization and sharing of photographs (like the ability to quickly retrieve photographs stored in a private account), to promoting health and wellness (like allowing for digital patient check-ins at the emergency room)…These are applications that millions of people already enjoy, and that offer great potential in the future. It is in no one’s interest that the lawful development and use of biometric technologies be artificially chilled.” — The Internet Association in its court brief

In December, Facebook announced that it will notify users if someone uploads a photo with you in it (whether the user tags you or not). That gives users the option of tagging it themselves, refuse to be tagged, or report the photo. That’s still not prior notice in this case, though, because the facial recognition used to identify you had already occurred prior to the consent.

How To Disable The Tech

If you want to stop Facebook from looking for you with facial recognition, The Verge has a good article on the steps you need to take to disable the tech.

Facebook can also gather additional data from photos that are uploaded, according to PetaPixel:

  • location from geotag data
  • date
  • device ID of your phone
  • cellular/Internet service provider nearby Wi-Fi Beacons/cell towers (which can be used to triangulate locations)
  • battery level
  • cell signal strength

A portion of Illinois’ Biometric Information Privacy Act:

No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.

You can read the initial ruling as well as arguments by both sides here.

Tagging Image By Jimmy answering questions.jpg: Wikimania2009 Beatrice Murchderivative work: Sylenius (Jimmy answering questions.jpg) [CC BY 2.0 (https://creativecommons.org/licenses/by/2.0) or CC BY 3.0 (https://creativecommons.org/licenses/by/3.0)], via Wikimedia Commons