Biometrics , Governance & Risk Management , Privacy
Why This Facebook Privacy Settlement Is Unusual$650 Million Settlement Reached Under Illinois' Groundbreaking Biometrics Privacy Law
Ending six years of litigation, a federal judge has signed off on a $650 million settlement of a class-action lawsuit against Facebook for violating Illinois' groundbreaking privacy law that restricts collecting biometrics data.
The lawsuit claimed Facebook violated the rights of 1.6 million Illinois residents under Illinois' Biometric Information Privacy Act.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The Illinois law is unusual because it allows citizens to bring class-action lawsuits and receive statutory damages for privacy violations, says Steven Teppler of the law firm Mandelbaum Salsburg P.C. While other states are considering similar biometrics privacy laws, many would not create a private right of action, leaving enforcement solely in the hands of the state's attorney general's office, he says.
"Illinois' Biometric Information Privacy Act is [unusual] in providing a private right of action and statutory damages along with attorneys' fees - which not many privacy laws offer - which virtually guarantees active class actions like this one," adds Richard Santalesa, a technology and data privacy attorney at The SmartEdgeLaw Group, a law firm with offices in New York and Connecticut. "As more states add privacy-focused … laws - most recently Virginia and now Florida teeing up - the challenge of actually complying with them all becomes more and more difficult."
Regulatory attorney Paul Hales of the Hales Law Group notes that the absence of a federal privacy law, which likely would supersede state laws, means there are no clear guidelines that all companies must follow.
"Some states are adopting stricter privacy protection laws, but there is little likelihood in the short run that Congress will address this problem on a national level," Hales says. "Meanwhile, the Facebook biometric case is a good indication that the plaintiffs’ bar will continue to act as 'private attorneys general' on behalf of privacy breach victims."
In his announcement of the settlement, U.S. District Judge James Donato of the Northern District of California notes that the $650 million settlement - one of the largest cash privacy class-action settlements - would result in payments of $345 for each of the 1.6 million participating plaintiffs, according to the Chicago Tribune.
"By any measure, the $650 million settlement in this biometric privacy class action is a landmark result," according to the judge's final approval order. "Overall, the settlement is a major win for consumers in the hotly contested area of digital privacy."
In the lawsuit, consumers alleged that Facebook collected biometric face prints of its users - without consent - for its face tagging technology. This feature uses facial recognition technology to suggest names for people tagged in users' photos.
Lawyers for the consumers argued that collecting face prints without permission violated the Illinois law.
Jay Edelson of the Chicago-based law firm Edelson PC - one of three firms involved in the lawsuit - noted on Twitter that Donato focused on ensuring that users were notified of the settlement.
One of the key takeaways is the Court's laser focus on innovative notice and ensuring unprecedented claims rates. Settlements need to be measured on how much money goes to class members. If no one is participating, that is a problem. The Court's approach set a new benchmark.— Jay Edelson (@jayedelson) February 26, 2021
Commenting on the settlement, a Facebook spokesperson said: "We are pleased to have reached a settlement so we can move past this matter, which is in the best interest of our community and our shareholders."
Three lawsuits against Facebook were eventually consolidated and transferred to the U.S. District Court in San Francisco.
The case went through numerous mediation sessions as well as legal appeals at the 9th U.S. Circuit Court of Appeals and the U.S. Supreme Court.
In January 2020, Facebook disclosed in a financial filing with the U.S. Securities and Exchange Commission that it had agreed to pay $550 million to settle the allegations, although negotiations dragged on for over another year with the social media company agreeing to add another $100 million (see: Facebook Settles Facial Recognition Lawsuit for $550 Million).
Illinois' Biometrics Law
Under Illinois' Biometric Information Privacy Act, which has been in effect since 2008, companies are required to inform people if their biometric data is going to be collected. Companies also must notify Illinois residents why this data is being collected and how long it will be collected, stored and used. Plus, they must get written permission from consumers before sharing their biometric information with third parties.
The law covers a range of biometric data, including retina or iris scans, fingerprints, voiceprints and scans of hand or face geometry.
During the years of litigation, Facebook's attorneys argued that because the biometric data was stored out of state, the Illinois law did not apply in this case. The social media company also argued that the law should not apply because none of the litigants could prove any financial harm caused by the collection of biometric data, according to court documents.
And while Facebook has denied any wrongdoing related to the case, in 2019, the company announced that it would no longer turn on facial recognition by default, giving its users some additional privacy controls.