Adam Pezen, Carlo Licata and Nimesh Patel are among millions of people who have been tagged in Facebook photos at some point in the past decade, sometimes at the suggestion of an automated tagging feature powered by facial recognition technology.
It was their Illinois addresses, though, that put the trio’s names atop a lawsuit that Facebook recently agreed to settle for $550 million, which could lead to payouts of a couple hundred dollars to several million Illinois users of the social networking site.
The lawsuit — one of more than 400 filed against tech companies big and small in the past five years, by one law firm’s count — alleges that Facebook broke Illinois’ strict biometric privacy law that allows people to sue companies that fail to get consent before harvesting consumers’ data, including through facial and fingerprint scanning. Privacy advocates hail the law as the nation’s strongest form of protection in the commercial use of such data, and it has survived ongoing efforts by the tech industry and other businesses to weaken it.
Attorneys who focus on privacy law predict that the Facebook settlement — if approved by a federal judge — will trigger a new round of lawsuits and make the targets of existing ones more likely to settle. Illinois’ legal landscape also could shape debates over privacy protection in other states and in Congress, particularly about whether individuals should have the right to sue over violations.
“We’re going to see a lot of constituents saying, ‘Why not me?'” said Jay Edelson, a Chicago attorney whose firm first sued Facebook for allegedly breaking Illinois’ law. “This settlement, it’s going to really make the point that having laws on the books is the difference between people getting to go to court and getting real relief, and otherwise just getting trampled by these tech companies.”
Although the buying and selling of consumer data has become a multi-billion-dollar industry, Illinois’ law — the Biometric Information Privacy Act — predates even Facebook’s iconic “like” feature and was a reaction to a single company’s flop.
Pay By Touch, a startup that teamed with grocery stores to offer fingerprint-based payments, had gone bankrupt and was expected to auction off its assets, including its database of users’ information. Worried about where that user data would wind up, Illinois lawmakers quickly passed a law in 2008 requiring companies to get consent before collecting biometric information and to create a policy specifying how that information will be retained and when it will be destroyed.
It also gave Illinois residents the right to sue for $1,000 over negligent violations and $5,000 for intentional violations.
For years, “literally nothing happened,” said John Fitzgerald, a Chicago attorney and author of a book on the law that is due out this year. He couldn’t find any record of a case filed before 2015.
Edelson’s firm and others that focus on class-action suits were first, accusing Facebook of failing to meet Illinois’ standard in multiple lawsuits filed in 2015. The three Illinois men fronting the class-action suit against Facebook said they were never told that the site’s photo tagging system used facial recognition technology to analyze photos then create and store “face templates.”
A federal judge later grouped the cases together as a class-action on behalf of Illinois Facebook users who were among the stored face templates as of June 7, 2011.
Facebook only changed the technology last year. The tag suggestion tool was replaced a broader facial recognition setting, which is turned off by default.
The Illinois law is the basis for two recent suits filed against Clearview AI, a facial recognition company that harvests images by scraping social media sites and other places and then sells access to its database to law enforcement agencies.
Facebook, Twitter, Venmo and YouTube have all demanded that Clearview stop harvesting their users’ images following investigative reports by The New York Times and Buzzfeed.
Although there are Illinois lawsuits against other major tech companies, including Google, Snapchat and Shutterfly, the vast majority of the cases are filed on behalf of employees who were directed to use fingerprint scanning systems to track their work hours and who accuse employers or the systems’ creators of failing to get their prior consent.
Illinois is one of three states that have laws governing the use of biometric data. But the other two, Texas and Washington, don’t permit individual lawsuits, instead delegating enforcement to their attorneys general.
The state’s Chamber of Commerce and tech industry groups have backed amendments to gut Illinois’ allowance of individual lawsuits or exempt time-keeping systems.
Illinois’ law puts “litigation over innovation,” said Tyler Diers, the Illinois and Midwest executive director of the industry group TechNet, whose members include Apple, Facebook and Google.
“This case exemplifies why consumer privacy law should empower state regulators to enforce rather than line the pockets of class action attorneys,” Diers said in a statement.
Facing Illinois’ law, some companies opt out of the state. Sony, for instance, refuses to sell its “aibo” robot dog to Illinois residents and says the device’s ability to behave differently toward individual people depends on facial recognition technology.
Backers of the law argue that it’s not difficult to comply — simply tell consumers you plan to use biometric data and get their consent.
State Rep. Ann Williams, a Chicago Democrat, said the ability to sue is critical for consumers facing global companies that make billions of dollars per year.
“If the penalty’s only a fine, that’s the cost of doing business for them,” Williams said. “A settlement like (the Facebook case), we’re talking about real money that will go to consumers.”
Attorneys who defend smaller companies, though, argue that the law should be narrowed to permit the use of fingerprint scanners to track employees’ hours.
“Small and medium-size businesses really do not have the resources to defend these cases or pay some big settlement,” said Mary Smigielski, a partner at Lewis Brisbois Bisgaard & Smith and a co-leader of the firm’s group focused on Illinois’ biometric law.
The Facebook case wound through courtrooms in Illinois and California for nearly five years before last month’s announcement of a settlement, days after the U.S. Supreme Court declined to hear arguments.
Edelson said he hopes that the $550 million deal, which lawyers on the case described as a record amount for a privacy claim, will put pressure on attorneys to refuse credit monitoring or negligible cash payouts that are more typical in agreements to resolve data privacy suits.
People eligible for the settlement will be contacted directly and don’t need to take any action until then, attorneys on the case said.