(Reuters) - Facebook disclosed Wednesday that it has agreed to pay $550 million to settle a class action that accuses the company of violating Illinois’ Biometric Information Privacy Act by using facial recognition technology to allow users to “tag” photos of their friends. Though the settlement must still be approved by U.S. District Judge James Donato of San Francisco, class counsel from Edelson, Robbins Geller Rudman & Dowd and Labaton Sucharow said in a press release that the deal will deliver more cash to class members than any previous privacy settlement. Paul Geller of Robbins Geller said the $550 million deal should serve as a warning to other companies: “Consumers are recognized, identified and surveilled more than we like and certainly more than we know,” he said. “While I applaud advances in technology, now more than ever we can’t lose sight of the need to protect our civil liberties and right to privacy.”
There’s no doubt that privacy class actions are vastly more valuable than they were a decade ago. In 2011, Reuters made a chart of plaintiffs’ recoveries in six of the then-biggest privacy class actions. None of the settlements topped $10 million and only two provided cash for class members other than lead plaintiffs. As data breaches have proliferated, data breach settlements have escalated. Class members obtained nearly $20 million in potential cash relief in the 2018 Anthem settlement. The just-approved Equifax settlement offers $380.5 million in cash, mostly to consumers who incurred out-of-pocket costs to respond to the data breach.
Want more On the Case? Listen to the On the Case podcast.
But the Facebook settlement is different. The class consists of Illinois Facebook users who are entitled to statutory damages of $1,000 under their state’s law policing the use of their biometric data. Their injury, according to a ruling last summer by the 9th U.S. Circuit Court of Appeals, is simply the breach of their privacy rights. Depending on the claims rate, class members in the Facebook case are expected to recover at least $200, without showing any actual damages.
So what message should privacy lawyers and defendants take from the settlement? Does the $550 million payout mark a newfound evaluation of privacy claims? Or is the deal just a one-off reflection of the unique circumstances of this case?
I posed that question to all of the lead class lawyers in the facial recognition case, Geller and Shawn Williams of Robbins Geller, Jay Edelson of Edelson and Michael Canty of Labaton. Their answer: There are unique circumstances in the Facebook case – but its outcome could inspire changes that impact privacy litigation more broadly.
I should say here that I also reached out to lawyers at Mayer Brown, which represented Facebook through most of the facial recognition case, and to Michael Rhodes of Cooley, who came in recently as Facebook’s lead trial counsel. Rhodes declined to comment; the Mayer Brown lawyers did not respond. A Facebook spokeswoman also did not respond to my email. The company did not admit wrongdoing but has changed its default settings so users must opt-in to the facial recognition feature.
The class recovery in the Facebook case rested on two things: the Illinois statute and class counsel’s determination to enforce it. Illinois is one of the few states with a law policing the use of its residents’ biometric data. (Texas and New York are among the others.) But only Illinois, according to Williams and Geller, includes a private right of action in its biometric privacy statute.
Other states, according to Facebook plaintiff lawyers, are considering legislation to regulate biometric and geolocation data use. Tech companies, broadly speaking, argue that such laws will stifle innovation. But Labaton’s Canty said the Facebook settlement should show state lawmakers that consumers’ privacy rights are valuable. “Biometrics are indelible,” he said. “You can’t get a new fingerprint. You can’t get a new iris. Once that information is compromised or taken, it can never be replaced.”
Edelson said his firm has received calls from more than 2,000 Facebook users since news of the settlement broke – and many of them are not from Illinois. This case, he said, starkly illustrates the power of state laws. “It’s hard to explain to people in Missouri or Nebraska or Maine why they’re not in the settlement,” Edelson said. But he said he believes public opinion is shifting in favor of privacy rights, and that this deal will accelerate the shift. “State legislators are going to have to explain: Why can people in Illinois sue but not in other states?”
Of course, statutory damages don’t count for much unless plaintiffs’ lawyers are willing to fight for them. Class counsel in the Facebook case litigated for five years, to the brink of trial, before they reached Wednesday’s settlement. They had to establish that Illinois’ biometric law applied to class claims, over Facebook’s protests that California law should prevail. They won class certification despite Facebook’s arguments that class members didn’t have standing to sue because they were not concretely injured by Facebook’s use of facial recognition tech. (One named plaintiff even testified that he liked the feature, according to Facebook.) Class counsel successfully defended Judge Donato’s class certification decision at the 9th Circuit, which ruled definitively last August that privacy violations are a concrete injury. Then they waited for the U.S. Supreme Court to deny Facebook’s petition for review of the 9th Circuit opinion. Facebook agreed to settle the case only after it returned last week to Judge Donato, who promptly ordered a Feb. 6 hearing to set a trial schedule.
“You’ve got to have resolve,” said Edelson. “We’ve been vocal about this – when you bring a case, you have to be willing to go all the way to trial.” Edelson said he hopes the Facebook outcome inspires the privacy class action bar to test the strength of their cases before settling. (Okay, he actually said he hopes the big settlement “puts pressure” on other firms.) Robbins Geller’s Williams added that the Facebook plaintiffs’ team has paved a path, cementing the 9th Circuit’s position that statutory violations of privacy rights are sufficient to establish standing in federal court. (The Illinois Supreme Court also gave a boost last year to private suits based on the state’s biometric privacy law in Rosenbach v. Six Flags, which held that a violation of BIPA is a concrete injury.)
To recap: The lawyers who just squeezed more than a half-billion dollars out of Facebook agree that their deal can be replicated if it prods more states to pass laws giving residents a right to sue over misuse of their personal data and inspires more plaintiffs’ lawyers push to maximize consumers’ rights. Those are big ifs, of course. But $550 million is a big motivator.
Our Standards: The Thomson Reuters Trust Principles.