Biometric Face Recognition Class Action Lawsuit Against Facebook is Green-Lighted by US Ninth Circuit Court

The California Consumer Privacy Act (“CCPA”) goes into effect starting January 1, 2020. Biometric information is among the data that is subject to the provisions of the CCPA. We have written about biometric data here and here. Fingerprinting and facial recognition software are probably the most commonly used biometric data. Many smartphones use facial recognition as a method of locking the phone. That data is stored and privacy advocates are concerned about where that data is stored, the security of that storage, and what other used can be made of the data.

For a number of years now, Illinois has had a statute protecting the privacy of consumers with respect to biometric data called the Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/1 et seq. The BIPA provides that any person who is “aggrieved” by a violation of the BIPA has the right to bring a lawsuit. Statutory damages are significant, particularly if a class action is filed a certified — $1,000 and $5,000 per violation.

Given the reach of the internet and online sales, the Illinois statute is potentially applicable to San Diego and California businesses. Does your business collect biometric data? Are there Illinois customers and/or employees about whom such data is collected? Do you store or manipulate biometric data that might include Illinois residents and employees?

Facebook, Inc., a California-based corporation, is facing this exact problem. Facebook’s website and platform reaches every part of the US and the globe. A couple of years ago, a class action was filed in Illinois federal court claiming that Facebook violated the BIPA by collecting, using, and storing biometric identifiers — a “scan” of “face geometry” — from photos without written consent/release and without conforming to the BIPA’s requirements for data storage and retention. The case was transferred to the federal court in San Francisco.

At the trial level, Facebook was successful in having the case dismissed. Facebook argued that the plaintiffs — and other customers — did not suffer any damages even assuming that Facebook violated the BIPA. The dismissal was appealed to the Ninth Circuit and the Ninth Circuit recently reversed. See Patel v. Facebook, Inc., Case No. 18-15982 (US Fed. 9th Cir. August 8, 2019). The case is now being sent back to the trial court.

The Ninth Circuit held that plaintiffs claimed sufficient injury to proceed with their lawsuit. The BIPA was designed to protect consumers’ privacy rights which, according to the court, included the ability to control information about the consumer that is collected and stored. The fact that Facebook used its programming to create a face “template” directly infringed on the right to control what information is collected, how it is manipulated and stored. As such, the mere collection of biometric data in violation of BIPA was an “injury” sufficient to confer standing under federal law. To have standing, a plaintiff must show injury to a “legally protected interest.” The BIPA creates such a “legally protected interest.

Contact San Diego Corporate Law Today

For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard provides a full panoply of legal services for businesses including formation of corporate entities of all types. Like us on Facebook.

You Might Also Like:

Consumer Privacy Act: Could the Courts Expand the Private Right of Action Under the CCPA?

Is it Time to Say “No” to Biometrics?

Can “Data Dividends” Make the Consumer Privacy Act Workable

California Consumer Privacy Act Will Apply to Employees and Job Candidates

What the California Consumer Privacy Act of 2018 Means for San Diego Businesses