The court "concluded that the development of a face template using facial-recognition technology without consent (as alleged in this case) invades an individual's private affairs and concrete interests." Judge Sandra Ikuta wrote in an opinion that "the facial-recognition technology at issue here can obtain information that is 'detailed, encyclopedic, and effortlessly compiled,' which would be almost impossible without such technology."

The lawsuit started in 2015 when users in Illinois accused Facebook of violating the state's Biometric Information Privacy Act (BIPA). It allegedly did so through its use of the tag suggestions feature. That offered users suggestions of friends to tag in their pictures based on previously uploaded photos.

Facebook claimed that the plaintiffs' claims against the company were unique and as such they should be required to file lawsuits individually. The appeals court rejected that assertion, allowing the class-action suit to proceed. Judge Ikuta wrote that the intention of BIPA was to protect people's "concrete interests in privacy" and by allegedly using biometric data to create a face template for its users, Facebook "[invaded] an individual's private affairs and concrete interests."

Damages for BIPA violations can reach up to $1,000 for each negligent violation, and as much as $5,000 for each reckless or intentional violation. Shawn Williams, a lawyer for the plaintiffs, told Reuters the class action may include 7 million Facebook users. That could put the company on the hook for billions of dollars if the case goes to trial.

"This decision is a strong recognition of the dangers of unfettered use of face surveillance technology," Nathan Freed Wessler, a staff attorney with the ACLU Speech, Privacy, and Technology Project, said in a statement. "The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people's privacy and safety."

Facebook, of course, hasn't exactly steered clear of legal and regulatory troubles when it comes to privacy. Just last month, it agreed to a $5 billion fine with the Federal Trade Commission related to the Cambridge Analytica scandal.