Facebook should have to answer claims in federal court brought by users who say the social network unlawfully collected and stored their biometric data without consent, a U.S. District Judge ruled Thursday.
Plaintiffs in the case — three Facebook users from Illinois — argue the company “secretly amassed the world’s largest privately-held database of consumer biometric data” when it rolled out an automated photo-tagging system in 2010 that derives unique “faceprints” from photographs uploaded by its users.
Plaintiffs said Facebook’s creation of these specialized faceprints were done without their explicit consent and amount to a violation of Illinois’s Biometric Information Privacy Act, or BIPA — legislation passed in 2008 that requires companies to obtain permission before collecting or storing such information.
Facebook said that claim should be rejected since the company’s user agreement requires any disputes to be resolved under California law, where the company is headquartered.
Ruling from a San Francisco courtroom, however, U.S. District Judge James Donato on Thursday ruled against Facebook’s motion to dismiss the suit and said the plaintiffs can raise their claims out west.
In his 22-page ruling, the judge wrote that “The Court accepts as true plaintiffs’ allegations that Facebook’s face recognition technology involves a scan of face geometry that was done without plaintiffs’ consent.”
If California’s own statutes were solely applied, the judge said, “the Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with ’major national corporations’ like Facebook, would be written out of existence.”
“Illinois will suffer a complete negation of its biometric privacy protections for its citizens if California law is applied,” he wrote. “In contrast, California law and policy will suffer little, if anything at all,” if Illinois law is applied.
“The statute is an informed consent privacy law addressing the collection, retention and use of personal biometric identifiers and information at a time when biometric technology is just beginning to be broadly deployed,” he added. “Trying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology.”
Facebook declined to comment when contacted by Reuters on Thursday, but a spokesperson for the social networking service previously said the lawsuit was “without merit” and vowed to “defend ourselves vigorously.”
Shawn Williams, an attorney for the plaintiffs, told Fortune that he was pleased with the judge’s “well-reasoned decision.”
“That’s a huge victory because what that will say is that state law will be applicable in cases where a national company attempts to try cases in their own state without applying all states’ laws,” Pam Dixon, executive director of the World Privacy Forum in San Diego, told Bloomberg.
Should plaintiffs emerge victorious, then a proposed class-action settlement would require Facebook to pay between $1,000 to $5,000 to every user in Illinois whose privacy was violated, Fortune reported.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.