The lawsuit, which could open up the company to billions of dollars in damages, was filed in Illinois and centers around the company’s alleged infringement of the state’s large privacy law — the Biometric Information Privacy Act (BIPA) — which protects from unconsented collection of biometric data.
Plaintiffs claim that Facebook broke the law when it used its tagging feature on state residents — a function which utilizes facial recognition software. This week's opinion agreed that the feature and its unconsented use of the technology "invades an individual’s private affairs and concrete interests."
The oldest biometric privacy bill in the country, BIPA requires all companies operating within Illinois to adhere to a set of privacy requirements: these include notifying consumers of the biometric data collection; informing them to its purpose; explaining the duration of time that the data will be stored; and ultimately garnering written consent from the consumer before data can be collected.
Facebook violated BIPA by "collecting, using, and storing biometric identifiers" without first "obtaining a written release and without establishing a compliant retention schedule," the opinion states.
Originally filed in 2015, the lawsuit was subsequently challenged by Facebook the following year — which argued that the plaintiffs' complaints represented "a bare procedural violation of BIPA" and weren't substantiated by a "concrete injury" — defined as a "legally protected interest," according to the opinion.
However, this week the 9th U.S. Circuit Court of Appeals in San Francisco sided with the plaintiffs, arguing that the lawsuit presented a sound legal argument.
"We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests," reads the opinion.
BIPA allows for a private right of action by people aggrieved by breach of the law, with damages of $1,000 for each negligent violation and $5,000 charged for each "intentional or reckless violation." The lawsuit could see Facebook pay billions in damages, given that millions of people could potentially be affected, Reuters reports.
Passed in 2008, BIPA has already led to a number of large class action lawsuits — most notably against Shutterfly, Google and Six Flags for similar infringements.
This week's decision, which was applauded by privacy rights activists, is yet another sign that courts are increasingly willing to punish tech companies for privacy infringements, even as the methods for consumer data collection continue to thrive and grow.
"This decision is a strong recognition of the dangers of unfettered use of face surveillance technology,” said Nathan Freed Wessler, staff attorney with the ACLU Speech, Privacy, and Technology Project. “The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people's privacy and safety.”