Facebook Sued for Breach of Illinois Privacy Law

May 23, 2016

Facebook facial photoFacebook is currently defending itself in a privacy lawsuit alleging violation of the Illinois Biometric Information Privacy Act (BIPA).  The case is now pending in the federal district court in the Northern District of California.  It raises important questions regarding the extent to which biometric analysis can constitute unlawful breach of personal privacy.

BIPA prohibits use of certain biometric information without the prior consent of the individuals associated with that information.  A group of Facebook users in Illinois allege that the biometric information addressed in BIPA includes data now being used by Facebook in its facial recognition analysis system.  The case was originally filed in federal court in Illinois, but was later moved to the Northern District of California, as Facebook’s terms of use require that all claims against the company must be raised in courts in California.

The litigation focuses on Facebook’s “Tag Suggestions Program.”  The Program encourages Facebook users to “tag” photographs of people they know that are posted on the Facebook platform.  By tagging the Matsuura Blakeley Bannerphotographs of the individuals, Facebook users associate names with the posted images of the people.  Facebook reportedly uses facial recognition software to encourage and facilitate this photo tagging process.  Facebook is apparently continually attempting to expand its collection of identified images of individuals.

The plaintiffs in the litigation allege that Facebook’s facial recognition software creates templates of facial features based on actual images of individuals.  Those templates are reportedly used to facilitate the image tagging process.  Plaintiffs claim that the creation and use of the facial feature templates by the facial recognition system violates BIPA.

This case illustrates the continually expanding scope of biometric data.  As data collection and analysis becomes increasingly sophisticated and widespread, an ever-diversifying array of biometric data are collected and applied for a range of purposes.  In this environment, effective protection of biometric data privacy is extremely difficult to achieve.

This case also illustrates that privacy issues associated with personal data can arise both when the data are made publicly available without permission and when they are used for purposes not authorized by the individuals involved.  Privacy can be violated even in instances when the personal information is not specifically disclosed to the general public.  The broad scope of potential privacy threats makes the challenge of providing effective protection for personal data particularly difficult to manage.