First Appeals Court Decision in the Nation Recognizing the Unique Privacy Harms of Face Recognition Technology

The U.S. Court of Appeals for the Ninth Circuit ruled today that Facebook users can sue the company over its use of face recognition technology. The ruling is the first decision of an American appellate court directly addressing the unique privacy harms posed by the face recognition technology being increasingly pushed on members of the public without their knowledge and consent.

The ruling in Patel v. Facebook affirms the district court's certification of a class of Facebook users in Illinois who have alleged that the company violated their rights under their state’s Biometric Information Privacy Act (BIPA). The Illinois statute imposes protections against companies collecting and storing biometric information, including using face recognition technology, without the user’s knowledge and consent. The suit alleges that Facebook’s practice of using face recognition technology to identify users in digital images uploaded to the site without disclosing its use of face recognition or obtaining consent violates state law.

“This decision is a strong recognition of the dangers of unfettered use of face surveillance technology,” said Nathan Freed Wessler, staff attorney with the ACLU Speech, Privacy, and Technology Project. “The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people's privacy and safety.”

Today’s ruling allows the case to move forward as a class action in district court. In an opinion by Judge Ikuta, the court “concludes that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.” As the court explained, “the facial-recognition technology at issue here can obtain information that is ‘detailed, encyclopedic, and effortlessly compiled,’ which would be almost impossible without such technology.” In light of these harms, the court found that the plaintiffs had alleged sufficient privacy injuries to have standing to sue.

“BIPA's innovative protections for biometric information are now enforceable in federal court," added Rebecca Glenberg, senior staff attorney at the ACLU of Illinois. "If a corporation violates a statute by taking your personal information without your consent, you do not have to wait until your data is stolen or misused to go to court. As our General Assembly understood when it enacted BIPA, a strong enforcement mechanism is crucial to hold companies accountable when they violate our privacy laws. Corporations that misuse Illinoisans sensitive biometric data now do so at their own peril.”

The ruling can be found online here: https://www.aclu.org/legal-document/patel-v-facebook-opinion

A copy of the amicus brief filed by the ACLU, ACLU of Illinois, ACLUs of Northern and Southern California, Center for Democracy and Technology, Electronic Frontier Foundation, and Illinois PIRG can be found here: https://www.aclu.org/legal-document/patel-v-facebook-amicus-brief

More on this case can be found here: https://www.aclu.org/blog/privacy-technology/surveillance-technologies/people-should-be-allowed-sue-facebook-if-it