The U.S. District Court for the Northern District of California recently ruled that a certified class action on behalf of Illinois Facebook users alleging that the social network unlawfully collects biometric data from photo tagging will go forward, denying both parties’ summary judgment motions. This case is one of the first major tests of the scope of Illinois’s Biometric Information Privacy Act (BIPA).1 The litigation was originally filed in 2015, in response to Facebook’s launch of its “Tag Suggestions” feature, which used facial recognition algorithms to deliver suggested names for individuals in photos. Specifically, Facebook’s Tag Suggestions feature matched photos of an individual against other photos the individual was tagged in to suggest the name of the individual in the photo.

Illinois’s BIPA is one of only three state biometric privacy statutes on the books in the U.S., and the only one that allows for a private right of action.2 BIPA, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric information unless it satisfies certain notice, consent, and data retention requirements. For example, entities must notify the person that their biometric information is being collected and stored; state the purpose for collecting, storing, and using the biometric information; and state the length of time the biometric information will be retained. The entity must also obtain written consent from the individual before it obtains the biometric information. Biometric information is defined as a retina or iris scan, fingerprint, voiceprint, or scan of face geometry. BIPA authorizes damages of $1,000 per violation for negligent violations of the law, and $5,000 per violation for intentional or reckless violations. Damages in the Facebook case could amount to billions.Continue Reading Facebook Biometric Suit Moves Forward

On December 21, 2017, the Illinois Second District Appellate Court dealt a significant blow to the recent wave of Illinois Biometric Information Privacy Act (BIPA) class actions, holding in Rosenbach v. Six Flags Entertainment Corp. that plaintiffs alleging mere procedural violations of BIPA, without “any injury or adverse effect,” are not “aggrieved” persons entitled to any relief—monetary or otherwise—under the statute.1

BIPA prohibits companies from collecting biometric information from individuals without notice and written consent.2 The Illinois legislature passed BIPA in 2008 in response to the growing use of biometric technology in the business and security screening sectors in Illinois.3 Specifically, lawmakers were concerned about companies like Pay By Touch—which, in the early 2000s, brought biometric authentication to payment systems —going bankrupt and, consequently, putting consumers’ sensitive personal information at risk.4 To that end, BIPA contains a private right of action that allows any person “aggrieved” by a violation of the act to bring a claim against the offending party for $1,000 or actual damages per negligent violation, and $5,000 or actual damages per intentional or reckless violation.5 Critically, the statute does not define “aggrieved” persons, which proved to have a decisive impact on the Rosenbach court’s ruling.Continue Reading Illinois Appellate Court Holds That BIPA Plaintiffs Must Show Actual Harm