Illinois Users’ Face-Scanning Privacy Lawsuit Against Facebook Headed to Trial
This is a class action asserting that Facebook’s face recognition and scanning practices violate the Illinois Biometric Privacy Act rights of Illinois users. The court previously rejected Facebook’s arguments based on choice of law and standing, and certified a class. Facebook sought summary judgment that it did not violate the statute, that plaintiffs lack standing, that plaintiffs’ damages should be limited and require a showing of actual damages. The court says that it is unable to resolve any of these issues on summary judgment. Thus, the case looks like it’s proceeding to trial.
The first and most interesting issue is whether Facebook’s scanning is covered by the statute. The statute covers the collection of “biometric identifiers or biometric information”. The parties focus on whether Facebook’s process collects scans of “face geometry”. Plaintiffs say it does, and Facebook says that its machine learning-based process is not based on face geometry. The parties offer dueling experts that veer into technical territory. Plaintiffs also offered a Facebook research paper captioned DeepFace (a moniker surely regretted by Facebook) that seems to suggest that the technology relies on fixed points based on facial features. The court says this is a jury question. Facebook also pointed to use of the phrase “scan of face geometry” in the statute to require measurement of human factual features, but the court says it’s unclear, and in any event, disputes regarding the operation of the technology render summary judgment inappropriate.
Facebook also argued that subjecting it to the Illinois statute would violate the Dormant Commerce Clause. The court says this issue is partially resolved by the court’s ruling rejecting Facebook’s extraterritoriality argument. The lawsuit is brought by Illinois residents who used Facebook in Illinois, and the court already decided that the scanning cannot have occurred “wholly outside Illinois.” Facebook’s “metaphysical arguments about where BIPA was violated fare no better when re-packaged under the Dormant Commerce Clause.” The court easily dismisses Facebook’s argument about the specter of inconsistent regulations, saying the record shows Facebook can easily “activate or deactivate features for users in specific states . . . .”
Biometric identifiers do not include photographs, and biometric information excludes information from items carved out of the statute. Facebook argued that BIPA only applies to in-person scans and photographs are excluded from the statute. The court says it previously rejected this argument and notes that three other federal courts have as well.
The parties also sparred over damages. The statute says negligent violations result in damages of $1,000 per violation, while intentional or reckless violations result in $5,000 in damages. Facebook says that, given its good faith belief as to the legality of its practices, it shouldn’t be liable for even negligence-based damages. It also argued that plaintiffs must prove actual damages in order to be entitled to any damages. The court slams both arguments. On the good faith belief issue, the court says this is merely an ignorance-of-law argument that black letter law rejects. Case law does not allow for a mistake-of-law defense even where the statute contains a “bona fide error” provision, which BIPA does not. Thus, this argument fails. As to the argument that actual damages are required, the court previously rejected it, and it’s also not entirely supported by case law. Doe v. Chao, the Supreme Court case cited for this proposition turned on statutory interpretation, and cases following it, including those under the Video Privacy Protection Act, have found that actual damages are not categorically required, but depend on the text of the statute.
The Illinois Biometric Privacy Act has kept lawyers busy! If a well-funded behemoth such as Facebook cannot deploy face-scanning technology without having to go to trial over legal compliance, you have to wonder whether smaller players ever stand a chance.
The judge has some harsh words for the plaintiffs’ lawyers, who on the one hand (in response to Facebook’s arguments) say there are factual disputes, but on the other hand, seek summary judgment based on the absence of disputes. He has somewhat harsher words for Facebook’s lawyers, that veers into the realm of snark. Something tells me he’s not a fan of Facebook.
I still don’t understand the court’s conclusion relating to the photograph exclusion. The statute carves out photographs and information derived from photographs, but several courts have concluded that it does not exempt scanning of photographs.
The timing seems particularly bad for Facebook, given recent events and increased focused on privacy (among other things, GDPR is rearing its head and could turn into an issue for Facebook).
Facebook’s approach to privacy lawsuits are interesting. It settled litigation around Beacon and Sponsored Stories (among others). This one seems worth fighting, given the possible damages. On the other hand, the publicity of trial alone could be costly, from a PR standpoint. You wonder whether Facebook’s argument that it had a good faith belief could put its own internal evaluation of its practices at issue.
Eric’s Comments: How can Facebook “turn off” its facial recognition technology only for Illinois-based residents who are not Facebook subscribers? Automated facial recognition ≠ automated recognition of the person’s residency.
Judge Donato has been conspicuously hostile to Facebook’s arguments at every step in this case. If it doesn’t settle the case and it loses the trial, I bet Facebook can’t wait to get before an appellate court so it can start afresh with new judges.
Case citation: In re Facebook Biometric Privacy Litigation, 3:15-cv-03747-JD (May 15, 2018)