Georgetown Law
Technology Review

Since 2015, Facebook has been fending off a lawsuit challenging its use of facial recognition software, and this pressure will continue as Facebook is pushed to adjust its biometric data processing practices to comply with the impending European Union General Data Protection Regulation (GDPR), which will be implemented this May.1EUGDPR, GDPR Portal: Site Overview (last visited Feb. 14, 2018), https://www.eugdpr.org/.

Developing facial recognition software is a highly lucrative market, and these programs have the potential to be used for security and surveillance systems in addition to marketers delivering advertisements targeting consumers based on gender, age, and ethnicity.2Jared Bennett, Facebook: Your Face Belongs to Us, DAILY BEAST (July 31, 2017, 5:00 AM), https://www.thedailybeast.com/how-facebook-fights-to-stop-laws-on-facial-recognition. The facial-recognition market is expected to earn $9.6 billion by 2022, and Facebook has filed a patent for emotion-detection software which would display content based on an individual’s identified emotion, allowing it to monetize its facial recognition programs.3Id.

There are no federal laws providing privacy protections in corporate use of facial recognition software,4Id. but three states have such laws. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), which forbids private entities from obtaining an individual’s biometric identifier or information without both notifying that person and receiving their written consent.5740 Ill. Comp. Stat. Ann. 14/15 (West 2018). Unlike similar laws in Texas and Washington, Illinois’ law grants individuals a private right of action against the offending company,6See 14/15, Tex. Bus. & C. Code Ann. § 503.001(d) (West 2018); Wash. Rev. Code Ann. § 19.375.020-30 (West 2018). giving BIPA substantially more teeth than if it were only enforceable by the state.

A 2015 lawsuit, filed by a Chicago-based Facebook user, argues that Facebook’s facial recognition program used in its automatic “tagging” function violated BIPA by obtaining and processing biometric identifiers—i.e., face scans—without consent.7Cyrus Farivar, Chicago Man Sues Facebook over Facial Recognition Use in “Tag Suggestions”, ARSTECHNICA (Apr. 8, 2015, 9:24 AM), https://arstechnica.com/tech-policy/2015/04/chicago-man-sues-facebook-over-facial-recognition-use-in-tag-suggestions. Under BIPA, biometric identifiers include scans of face geometry.8740 Ill. Comp. Stat. Ann. 14/15 (West 2018). The Northern District of California rejected Facebook’s motion for summary judgment, which argued that the statutory language of BIPA limits biometric identifiers to face scans which were done in person, as opposed to face scans based on photographs.9In re Facebook Biometric Information Privacy Litigation, 185 F. Supp. 3d 1155, 1172 (N.D. Cal. 2016). This argument was subsequently rejected in similar suits against both Google10See Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1097 (N.D. Ill. 2017). and Shutterfly11See Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846, at *4 (N.D. Ill. Sept. 15, 2017). in federal court in Illinois.

With its motion for summary judgment denied, Facebook is currently trying to block class certification in the 2015 suit, as well as an additional suit on behalf of non-Facebook users in Illinois whose images were uploaded to Facebook and scanned without consent.12Emily Sortor, Facebook Wants Class Cert. Bid Denied in Privacy Class Action Lawsuits, TOP CLASS ACTIONS, (Jan. 31, 2018), https://topclassactions.com/lawsuit-settlements/lawsuit-news/833504-facebook-wants-class-cert-bid-denied-privacy-class-action-lawsuits/. Facebook is arguing that there is a lack of commonality between the claims within each class.13Id. The two cases have been combined, and there will be a hearing to determine if class certification is proper on March 29, 2018.14Id. If the plaintiffs get class certification, Facebook’s potential damages will increase drastically and could prompt out-of-court settlement.

Although BIPA only provides relief to Illinois residents, the impending E.U. regulation may push Facebook to bring its facial recognition practices somewhat closer to conformity with BIPA for users in the United States. The GDPR generally prohibits biometric data, including face scans, from being processed without explicit consent.15See Regulation (EU) 2016/679, art. 4, art. 9. The GDPR applies not only to entities within the European Union, but also to entities that offer goods or services to or monitor the behavior of data subjects in the European Union, and then process the personal data those individuals.16See 2016/679, art. 3(2). While Facebook has expanded its facial recognition program to process uploaded images and alert the people featured in the photos regardless of whether they are tagged, users may opt out of being identified through the facial recognition program.17Camila Domonoske, Facebook Expands Use of Facial Recognition to ID Users In Photos, NPR (Dec. 19, 2017, 1:39 PM), https://www.npr.org/sections/thetwo-way/2017/12/19/571954455/facebook-expands-use-of-facial-recognition-to-id-users-in-photos. This program is not available for users in the European Union or Canada.18Id. Although the GDPR does not formally give U.S. consumers protection, it has prompted Facebook to announce efforts to make controlling privacy settings more user-friendly and transparent.19Hamza Shaban, Facebook Braces for New E.U. Privacy Law, WASH. POST (Jan. 29, 2018), https://www.washingtonpost.com/news/the-switch/wp/2018/01/29/facebook-braces-for-new-e-u-privacy-law/?utm_term=.d06b398555fa. The threats of class actions and GDPR penalties may change corporate biometric data practice norms, pushing companies towards policies that favor user privacy and affirmative consent.