Georgetown Law
Technology Review

On January 22, 2020, a putative class action lawsuit was filed in the Northern District of Illinois claiming startup app Clearview AI has amassed a facial recognition database using more than 3 billion images extracted from social media websites. The case, Mutnick v. Clearview AI, seeks certification of a nationwide class and an Illinois class, alleging the company’s practices violate the Illinois Biometric Information Privacy Act (BIPA) and equate to unreasonable searches and seizures under the United States Constitution.

Clearview has come under harsh criticism for scraping personal and biometric data from the web and selling that data to law enforcement agencies. In a recent investigative piece, the New York Times wrote that more than 600 law enforcement agencies have already tapped into the Clearview database, describing potential uses that are downright Orwellian. Ed Markey (D-MA) has called for Clearview to provide answers about its business model, which, according to Markey, has “alarming potential to impinge on the public’s civil liberties and privacy.” For its part, Twitter sent Clearview a cease and desist letter, demanding it stop collecting photos from its site.

In another class action lawsuit challenging the use of facial recognition software in social media, Facebook recently announced that it would pay $550 million to settle claims it violated BIPA when it used face-matching software to suggest the names of people in Facebook user photos. The settlement came just eight days after the Supreme Court of the United States denied Facebook’s petition for a writ of certiorari.

That case, Patel v. Facebook, began in the Northern District of California and alleged Facebook violated BIPA when it used face template software without consent to allow users to tag others in photos, a technology Facebook launched in 2010. The Ninth Circuit affirmed the California District Court ruling that Facebook’s practice of collecting, storing, and using face templates amounted to a concrete injury sufficient to confer Article III standing. In its opinion, the Ninth Circuit wrote that “an invasion of an individual’s biometric privacy rights has ‘a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts’” (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016)). In October, the Ninth Circuit granted Facebook’s motion to stay to allow Facebook to petition the Supreme Court on the issues of standing and class certification.

The Supreme Court’s denial of Facebook’s petition may have driven Facebook to resolve the claims because the social media giant may have been found liable for an extraordinarily high damages figure. BIPA allows individuals to sue even if the plaintiff does not allege some actual injury beyond violation of his or her rights under the Act, and assigns statutory damages on a per violation basis, which are set at $1,000 for each violation and $5,000 for intentional or reckless violations. The Ninth Circuit rejected Facebook’s arguments that the potential for enormous liability can justify denial of class certification, discussing at length the legislative intent of the Illinois statute.

Patel v. Facebook is among the first cases to achieve class certification under BIPA, and the Rule 23(b)(3) class includes “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011.” The settlement stands to benefit consumers more broadly by sending a message to the industry that BIPA’s private right of action can be effective if plaintiffs can allege injury to their concrete right to privacy.