Class Action Suit Alleges Facebook’s Facial Recognition Violates Privacy Act

Facebook is catching it from all sides these days. In the crosshairs now is FB’s practice of using facial recognition software.

It used to throw me a bit when I would post a picture and, somehow, Facebook would know who was in the picture and prompt me to tag them. Turns out, though, that might not be legal everywhere. Illinois has a law called the Biometric Information Privacy Act. In short, the Act says businesses must get prior consent before collecting biometric data.

A lawsuit filed by Facebook users was by a San Francisco judge. It will be a class action suit — potentially worth billions if successful. Illinois law can tag each violation with fines up to $5,000.

Proponents argue that Facebook violates Illinois law by using facial recognition for photos.

You can read the judge’s ruling as well as arguments by both sides here.

In December, Facebook announced that it will notify users if someone uploads a photo with you in it (whether the user tags you or not). That gives users the option of tagging it themselves, refuse to be tagged, or report the photo. That’s still not prior notice in this case, though, because the facial recognition used to identify you had already occurred prior to the consent.

If you want to stop Facebook from looking for you with facial recognition, The Verge has a good article on the steps you need to take to disable the tech.

Facebook can also gather additional data from photos that are uploaded, according to PetaPixel:

• location from geotag data
• date
• device ID of your phone
• cellular/Internet service provider nearby Wi-Fi Beacons/cell towers (which can be used to triangulate locations)
• battery level
• cell signal strength

A portion of Illinois’ Biometric Information Privacy Act:

No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information, unless it first:

(1) informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;

(2) informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.

No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.