On August 8th, a federal appeals court rejected Facebook’s call to undo a lawsuit that indicated the social media giant has been collecting and storing unauthorized biometric facial data of millions of users without their expressed consent.
The 9th U.S. Circuit Court of Appeals in San Francisco came to a 3-0 decision over whether they considered Facebook’s facial recognition tools to be unauthorized, leaving the company open to billions of dollars’ worth of damages to users who started the class action lawsuit.
The lawsuit started when a group of Illinois users accused Facebook in 2015. The users stated that Facebook was in violation of Illinois state’s Biometric Information Privacy Act which prohibits companies to store biometric data without consent. Facebook’s ‘tag suggestion’ feature allows users to recognize and tag their friends based on biometric data of previously uploaded photos.
The ‘tagging’ allows for Facebook to analyze facial geometric data points, such as the distance between nose, ears, and eyes, which is then used to identify an individual’s face.
The technology then takes those data points and compares it against its user face database to determine whether there is a match to it.
Initially when Facebook released the ‘tag’ functionality it collected user biometric identifiers without a written release, and did not indicate any sort of guidelines towards disposing of the data, or any retention schedule of how long the company would keep the data.
The panel of circuit judges found that the privacy injuries over time amounted to sufficient enough evidence to allow for the class action lawsuit to proceed.
Judge Sandra Ikuta noted that the collection of this data could potentially be used to breach privacy, stating:
“Taking into account the future development of such technology… it seems that a face-mapped individual could be identified from a surveillance photo taken on the streets or an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual’s cell phone.”
Illinois’ Biometric Information Privacy Act has a payout of $1,000 for negligent violations of the law, and $5,000 per intentional or reckless violation.
Those involved with the lawsuit feel as though their privacy is breached when the technology company collects biometric measurements of the user’s face.
Shawn Williams, a lawyer for the plaintiffs in the class action lawsuit said:
“This biometric data is so sensitive that if it is compromised there is simply no recourse. It’s not like a Social Security card or credit card number where you can change the number. You can’t change your face.”
A Facebook spokesperson told Reuters through an email that the company plans on appealing the outcome, stating:
“We have always disclosed our use of face recognition technology that people can turn on or off at any time.”
Facebook argues that the case should be thrown out and that the information is being collected and stored in servers outside of Illinois, meaning that the state law should not apply.
Facebook has been at the forefront of a considerable amount of controversy, with projects such as their Libra cryptocurrency, as well as their general privacy practices.
The social media company was ordered to pay $5 billion dollars to settle a Federal Trade Commission privacy probe just last month.