On May 5, 2016, a federal judge denied Facebook’s attempt to dismiss a consolidated putative class action alleging that Facebook’s “Tag Suggestions” feature violates the Illinois Biometric Information Privacy Act (BIPA).
In 2015, Adam Pezen, Carlo Licata and Nimesh Patel each brought separate putative class actions in the Northern District of Illinois against Facebook. Those three suits were subsequently consolidated and transferred to the Northern District of California. The class action plaintiffs allege that Facebook’s Tag Suggestions feature—which allegedly scans photographs uploaded by a Facebook user and then identifies faces appearing in those photographs—violates BIPA, because it extracts a Facebook user’s facial geometry without knowledge or consent.
In October 2015, Facebook filed a motion to dismiss the consolidated class action. Facebook’s motion advanced two arguments. First, Facebook argued that the class action plaintiffs cannot pursue a claim under BIPA, because they agreed that California law governs their disputes with Facebook; BIPA, an Illinois state statute, therefore does not apply. Second, Facebook argued that BIPA does not apply to Tag Suggestions, because this feature derives personal biometric data from a photograph. The Court denied Facebook’s motion.
Illinois Law Applies
The court refused to enforce Facebook’s California choice-of-law provision. Ordinarily, a choice-of-law clause will be enforced. If, however, the other side can show that (i) the contractually chosen law (California) is contrary to a fundamental policy of the state law alternative (Illinois) and (ii) the other state has a materially greater interest in the outcome of the matter, then the choice-of-law clause will not be enforced. Since California does not have a biometric privacy statute, the court argued that applying California law would run counter to Illinois’ fundamental policy to protect personal biometric data. The court also found that Illinois has a greater interest in protecting its citizens’ personal biometric data than California: “Illinois will suffer a complete negation of its biometric privacy protections for its citizens if California law is applied.”
The Class Action Plaintiffs Alleged a Claim for Relief Under BIPA
The court found that the plaintiffs stated a cause of action under BIPA. BIPA excludes from its definitions of “biometric identifier” and “biometric information” photographs and information derived from photographs. Facebook argued, therefore, that it cannot be subject to BIPA, because the biometric data at issue was derived from uploaded photographs, and BIPA excludes categorically from its scope all information involving photographs. However, the court refused to read BIPA so narrowly: “The statute is an informed consent privacy law addressing the collection, retention and use of personal biometric identifiers and information at a time when biometric technology is just beginning to be broadly deployed (citations omitted) [t]rying to cabin this purpose within a specific in-person data collection technique has no support in the words and structure of the statute, and is antithetical to its broad purpose of protecting privacy in the face of emerging biometric technology.”
Further, the court noted that BIPA regulates the collection, retention and disclosure of personal biometric identifiers, including the scan of hand or face geometry. “Plaintiffs allege that Facebook scans user-uploaded photographs to create a ‘unique digital representation of the face…based on geometric relationship of their facial features.’” This allegation falls under the “scan of face geometry” protected under BIPA.
Takeaways
Companies that collect personal biometric data should be aware that their choice-of-law provisions will not necessarily preclude them from being sued under BIPA. These same companies should also be aware that they may not be able to avoid suit under BIPA by arguing that personal biometric data was collected by scanning a photograph.