Class Action Suit Filed Against Facebook for BIPA Violations

On Monday, Kelly Whalen filed a class-action lawsuit against Facebook, Inc. for violations of the Illinois Biometric Information Privacy Act (BIPA). The case was filed in California’s San Mateo Superior Court on behalf of Illinois residents who had their biometric information “illegally harvested” by Facebook after they used its social media application Instagram to upload and share photographs. 

The suit comes on the heels of Facebook’s $650 million class action settlement resulting from allegations that it similarly abused BIPA protections by illegally collecting protected biometrics of users of its Facebook platform.

The present complaint claims that “Facebook surreptitiously captures its Instagram users’ protected biometrics without their informed consent and, worse yet, without actually informing them of its practice.” This, the plaintiff argues, transgresses the BIPA, which prevents the collection of “personal feature[s] that [are] unique to an individual,” without notification and written consent. Citing a New York Times article, the plaintiff averred that Facebook collects the data to “to bolster its facial recognition abilities across all of its products, including the Facebook application and shares this information among various entities.”

To support its contentions that Facebook indeed collects data, the complaint pointed to the company’s first-ever California Privacy Notice directed to California users as a supplement to its Data Policy in compliance with California’s Consumer Privacy Act published on January 1. In the disclosure, the plaintiff cited Facebook’s collection of “identifiers,” like “photos and face imagery that can be used to create face-recognition templates if you or others choose to provide it and you have the setting turned on,” and “[a]udio or visual Information, including photos and videos, if you or others choose to provide it.” The plaintiff contended that “the contents of the notice demonstrate that Facebook has been collecting biometric data from its Instagram users for, at minimum, the 2019 calendar year.”

The plaintiff noted that although the company’s California Privacy Notice indicates that users have the option to elect whether biometric data is collected, it contends that this “belated after-the-fact notice to Instagram users cannot constitute compliance with the BIPA for a variety of reasons, including that Facebook only allowed Class Members’ to opt out after it collected their protected biometrics, and even then, only if Class Members knew to look for the opt-out option, which, upon information and belief, is not even possible through a user’s Instagram account.”

The complaint also alleged that a Facebook spokesperson, “said its system analyzes faces in users’ photos to check whether they match with those who have their facial recognition setting turned on.” This means, the plaintiff reasoned, “that users can never really ‘opt out’ of Facebook’s use of facial recognition.”

The plaintiff seeks class certification for Illinois residents who have had their biometric information obtained by Facebook through photographs they have uploaded to their Instagram accounts. It also requests an injunction to stop the practice and statutory damages of $5,000 for each intentional or reckless violation and $1,000 per negligent violation of the BIPA.

The plaintiff is represented by Carlson Lynch LLP and Whitfield Bryson LLP.