The U.S. District Court for the Northern District of California recently ruled that a certified class action on behalf of Illinois Facebook users alleging that the social network unlawfully collects biometric data from photo tagging will go forward, denying both parties’ summary judgment motions. This case is one of the first major tests of the scope of Illinois’s Biometric Information Privacy Act (BIPA).¹ The litigation was originally filed in 2015, in response to Facebook’s launch of its “Tag Suggestions” feature, which used facial recognition algorithms to deliver suggested names for individuals in photos. Specifically, Facebook’s Tag Suggestions feature matched photos of an individual against other photos the individual was tagged in to suggest the name of the individual in the photo.

Illinois’s BIPA is one of only three state biometric privacy statutes on the books in the U.S., and the only one that allows for a private right of action.² BIPA, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s biometric information unless it satisfies certain notice, consent, and data retention requirements. For example, entities must notify the person that their biometric information is being collected and stored; state the purpose for collecting, storing, and using the biometric information; and state the length of time the biometric information will be retained. The entity must also obtain written consent from the individual before it obtains the biometric information. Biometric information is defined as a retina or iris scan, fingerprint, voiceprint, or scan of face geometry. BIPA authorizes damages of $1,000 per violation for negligent violations of the law, and $5,000 per violation for intentional or reckless violations. Damages in the Facebook case could amount to billions.Continue Reading Facebook Biometric Suit Moves Forward