Facebook Facial Recognition Tag Suggestions May Violate Privacy Law Posted on June 3, 2016 by Larry Bodine Facebook must face a lawsuit against it that claims its photo-tagging system using facial recognition software to identifying users violates Illinois’s Biometric Information Privacy Act. Chicago residents brought the lawsuit, which was transferred to a Northern California District Court at Facebook’s request, claiming Facebook collected biometric identifiers, such as faceprints, without consent and in violation of the Illinois law. Facebook attempts to dismiss lawsuit Facebook filed a motion for summary judgement and a motion to dismiss the case, arguing that its terms and conditions included a choice-of-law provision stipulating that claims against Facebook must be litigated in California under its law, and that the plaintiffs failed to state a claim under the Biometric Information Privacy Act (BIPA). The court agreed with Facebook, finding that the plaintiffs assented to the user agreements when they signed up for Facebook, and were provided notice of the updated user agreement containing the California choice-of-law provision. However, in determining whether the California choice-of-law clause was enforceable, the court applied an enforceability test looking to whether California law on the issue is contrary to a fundamental policy and if Illinois had a “materially greater interest in the determination of the matter. Illinois privacy law applies The court, answering both questions in the affirmative, wrote that the BIPA “manifests Illinois’ substantial policy of protecting its citizens’ right to privacy in their personal biometric data.” The court wrote that the BIPA is premised on concerns about the use of biologically unique identifiers that once compromised, “the individual has no recourse” and is at a heightened risk for identity theft. The BIPA protects the privacy of individuals by requiring written policies on biometric data retention and informed consent before obtaining or disclosing personal biometric information. The act also provides a private right of action for anyone whose privacy has been compromised. See also: Facebook Tagging in Enough to Violate Restraining Order, Says NY Judge The court wrote that Facebook attempted to “downplay the conflict as merely the loss of a claim,” but rejected the argument, writing that if its motion were granted, it would write the Illinois policy of protecting its citizen’s privacy interest “out of existence.” Finding that Illinois would suffer a “complete negation of its biometric privacy protections for its citizens if California law were applied,” the court declined to enforce the California choice-of-law provision, denying Facebook’s motion for summary judgement. User photos are biometric information The court also denied Facebook’s motion to dismiss, which argued that the BIPA excludes photographs and any information derived from the photographs in its definitions of “biometric identifiers” and “biometric information.” The court found the argument “unpersuasive” and refused to read the statute to exclude images and photographs from its scope. The court wrote that such an exclusion would “substantially undercut” the BIPA because the analysis of biometric identifiers is usually based on an image or photograph. The court allowed the Facebook users to proceed finding that they had a plausible claim that Facebook used its facial recognition technology without their consent, but no ruling was made on whether the technology violated BIPA. The case is In re Facebook Biometric Information Privacy Litigation, Case number 3:15-cv-03747-JD, in the United States District Court Northern District of California.