(Reuters) - A federal appeals court on Thursday rejected Facebook Inc’s FB.O effort to undo a class action lawsuit claiming that it illegally collected and stored biometric data for millions of users without their consent.

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of the Facebook logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration/File Photo

The 3-0 decision from the 9th U.S. Circuit Court of Appeals in San Francisco exposes Facebook to billions of dollars in potential damages to the Illinois users who brought the case.

It came as the social media company faces broad criticism from lawmakers and regulators over its privacy practices. Last month, Facebook agreed to pay a record $5 billion fine to settle a Federal Trade Commission data privacy probe. (Full Story)

“This biometric data is so sensitive that if it is compromised, there is simply no recourse,” Shawn Williams, a lawyer for plaintiffs in the class action, said in an interview. “It’s not like a Social security card or credit card number where you can change the number. You can’t change your face.”

Facebook did not immediately respond to requests for comment.

The lawsuit began in 2015, when Illinois users accused Facebook of violating that state’s Biometric Information Privacy Act by using facial recognition technology to collect biometric data.

Facebook allegedly accomplished this through its “Tag Suggestions” feature, which allowed users to recognize their Facebook friends from previously uploaded photos.

Writing for the appeals court, Circuit Judge Sandra Ikuta said the Illinois users could sue as a group, rejecting Facebook’s argument their claims were unique and required individual lawsuits.

She also said the 2008 Illinois law was intended to protect individuals’ “concrete interests in privacy,” and that Facebook’s alleged unauthorized use of a face template “invades an individual’s private affairs and concrete interests.”

The appeals court returned the case to U.S. District Judge James Donato in San Francisco, who had certified a class action in April 2018, for a possible trial unless Facebook successfully appeals.

Federal court procedures allowed the plaintiffs to sue Facebook in California though they called Illinois home.

Illinois’ biometric privacy law provides for damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

Williams, a partner at Robbins Geller Rudman & Dowd, said the class could include 7 million Facebook users.

The FTC probe arose from the discovery that Facebook had let British consulting firm Cambridge Analytica harvest users’ personal information. Facebook’s $5 billion payout still requires U.S. Department of Justice approval.

The case is Patel et al v Facebook Inc, 9th U.S. Circuit Court of Appeals, No. 18-15982.