Facebook pivots from facial recognition system following biometric privacy suit

Woman holds smartphone with Facebook logo in front of a displayed Facebook's new rebrand logo Meta in this illustration picture
A woman holds smartphone with Facebook logo in front of a displayed Facebook's new rebrand logo Meta in this illustration picture taken October 28, 2021. REUTERS/Dado Ruvic/Illustration/File Photo

December 22, 2021 - Facebook recently announced it is shutting down the facial recognition system used to identify individuals in videos and photographs based on stored face templates on the social network. The company described the change as part of a company-wide move to limit the use of facial recognition in its products due to growing societal concerns and the unclear regulatory landscape surrounding use of the technology.

Facebook's decision comes after it settled a major class action in February 2021 that alleged the company's facial recognition system violates Illinois's Biometric Information Privacy Act ("BIPA"). BIPA provides a private right of action to Illinois residents "aggrieved" by private entities that collect their biometric data (including retina scans, fingerprints, and face geometry) without complying with the statute's notice and consent requirements.

BIPA allows per-violation statutory damages of $1,000 for negligent and $5,000 for reckless or intentional violations of the law. The class of Illinois residents was estimated to consist of approximately 6 million members, for whom Facebook's algorithm stored a digital face template based on their facial geometry, making the total potential value of the class claims estimated at between $10 billion and $47 billion.

Facebook agreed to pay $650 million to end the BIPA class action, which was up from an initial $550 million settlement deal struck in January 2020 that failed to meet the approval of U.S. District Judge James Donato of ND California. Judge Donato was outspoken in his criticism of the initial deal based on his impression that the plaintiffs' claim that Facebook was reckless in breaching the notice and consent provisions of BIPA, yielding enhanced damages, was potentially viable based on the terms of a settlement Facebook entered into with the Federal Trade Commission in 2019.

The $5 billion FTC settlement followed the agency's complaint that Facebook violated broad privacy provisions from a 2012 consent decree, including by misrepresenting the extent to which users could control the privacy of their facial-recognition template by implying that users would have to opt-in for the site to use facial recognition, whereas approximately 60 million users were automatically enrolled unless they opted-out.

The class claims were headed for trial in the wake of significant rulings by the District Court that were upheld on appeal by the Ninth Circuit. In 2018, Judge Donato denied Facebook's motion to dismiss and certified the class, finding that BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and the ability to withhold consent, which codified a right of privacy in personal biometric information.

Consequently, violation of the procedural rights granted by BIPA necessarily amounts to a concrete injury because it infringes on the privacy rights protected by the statute, and plaintiffs were not required to show any additional "real-world harms" in order to have standing. Class members could rely on common proof to show that they were harmed by Facebook's collection of their biometric information because pleading of some additional "actual injury" other than violation of the statute was unnecessary.

Subsequently, Judge Donato denied competing motions for summary judgment because of unresolved factual disputes over whether Facebook's technology actually collects and stores scans of the "face geometry" of users. The Ninth Circuit later affirmed the class certification decision in 2019, agreeing that BIPA protects concrete privacy interests and violations of the procedures in BIPA actually harm those privacy interests.

The class action against Facebook has been significant in the context of increasing litigation under BIPA. Judge Donato's analysis of standing issues was persuasive to the Illinois Supreme Court in 2019, when it ruled for the first time in Rosenbach v. Six Flags that an allegation of "actual injury or adverse effect" is not required for a plaintiff to have standing to sue under BIPA because invasion of the statutory right to control biometric information alone inflicts the precise harm the Illinois legislature sought to prevent.

Rosenbach basically ensured that BIPA suits would be allowed to go forward, at least in state court, anytime that a technical violation of the statute is alleged. And after Facebook's record $650 million settlement, other defendants have followed suit and cut deals in 2021, including settlements by TikTok ($92 million), Six Flags ($36 million), Shutterfly ($6.75 million), and Wendy's ($5.85 million), among others.

Whether other companies will follow Facebook's lead and shelve technologies that allow for identification of individuals remains to be seen. Facebook highlighted the wide scope of its decision to discontinue use of facial recognition, announcing that the face templates of more than one billion global users will be deleted in implementing the change of policy. That impact goes way beyond the potential reach of liability under BIPA but may acknowledge BIPA's power as a bellwether of privacy protection and public opinion regarding physical personal data captured in the digital realm.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Torsten Kracht is a partner based in Hunton Andrews Kurth's Washington, D.C., and New York offices. Kracht represents clients from the U.S. and abroad in complex commercial litigation and arbitration.

Lisa Sotto is managing partner of Hunton Andrews Kurth's New York office and chair of the firm's global privacy and cybersecurity practice.

Bennett Sooy is a litigation associate based in Hunton Andrews Kurth's Washington, D.C., office.