Earlier this month, a judge from the Northern District of California allowed a putative class action suit to proceed against Facebook. In this case, the plaintiffs alleged Facebook collected and stored biometric data of individuals’ facial features for use in “tagging” friends in digital photographs. In rejecting Facebook’s attempt to dismiss the suit, the court found that Illinois’ Biometric Information Privacy Act (“BIPA”) applied in place of California law, and that BIPA does not categorically exclude from its scope all biometric information taken from digital photographs.
The case stems from Facebook’s “Tag Suggestions” program for digital photographs, which identifies individuals in an uploaded digital photograph based on the individuals’ facial features. Facebook users can utilize this program to easily “tag” their friends in photographs that are uploaded to the site. To generate this tagging ability, Facebook creates and stores digital representations of faces based on an individual’s unique “geometric relationship of facial features,” such as the distance between that individual’s eyes, nose, and ears. The named plaintiffs are Illinois residents who allege that Facebook took this facial biometric information in secret and without advance consent in violation of the Illinois BIPA, which is meant to protect citizens’ right to privacy in their personal biometric data against intrusive new technology. It therefore “regulat[es] the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Under BIPA, regulated biometric identifiers can include a “scan of . . . face geometry.” The plaintiffs initially brought separate cases against Facebook in Illinois federal court in May 2015. The plaintiffs agreed to consolidate and transfer the cases to the Northern District of California.
In order for the case to move past the pleading stage, plaintiffs had to convince the California court that the Illinois BIPA should apply. A major hurdle against the plaintiffs’ argument was that the Facebook user agreement included a California choice-of-law provision. California has no statutory equivalent to BIPA that protects its citizens’ biometric information and the court refused to enforce the California choice-of-law provision. Categorizing the Illinois BIPA as a “fundamental policy,” the court found that enforcing California law would cause Illinois’ fundamental privacy policy to “be written out of existence.” Therefore, the court concluded that Illinois had a greater interest at stake in the outcome of this BIPA dispute, thus, overriding the parties’ express contractual choice.
In addition to the choice-of-law issue, Facebook also claimed that the Illinois BIPA does not apply to information derived from photographs and, as a result, the plaintiffs had failed to state a claim. In BIPA, the statute excludes from its scope biometric information taken from photographs, stating that “[b]iometric identifiers do not include writing samples, written signatures, photographs . . . .” Based on this language, Facebook argued that any biometric information taken from digital photographs was outside the statute’s scope. The court rejected this argument. Noting that the statute’s explicit purpose was to regulate newer technology like scans of facial geometry, the court held that the term photograph “is better understood to mean paper prints of photographs, not digitized images stored as a computer file and uploaded to the Internet.”
With the Northern District of California’s ruling, this putative class action against Facebook’s Tag Suggestions will live to see another day.