Artificial Intelligence & Machine Learning , Governance & Risk Management , Legislation & Litigation

Facebook Settles Facial Recognition Lawsuit for $550 Million

Plaintiffs Argued Company Violated Illinois' Biometric Privacy Law

Facebook has agreed to pay $550 million to settle a class action lawsuit alleging the company violated Illinois law in collecting data for a facial recognition tool without users' consent.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The settlement ends five years of litigation between Facebook and the three law firms that brought the case on behalf of Illinois consumers. The case is the "largest cash settlement" ever paid to settle a privacy lawsuit, according to the attorneys involved.

The settlement - revealed by company executives during a Wednesday earnings call - came after Facebook failed this month in its efforts to get the U.S. Supreme court to throw out the lawsuit.

The case is considered a significant win for privacy advocates, with the a Electronic Privacy Information Center lauding the settlement. The non-profit has also faced off against Facebook over the years, claiming the company's practices have violated consumers' privacy rights.

1/#BREAKING: "A Big Victory for Privacy Groups" - @Facebook Settlement

This week Facebook agreed to pay $550 million to settle a lawsuit about the use of #facialrecognition technology. https://t.co/0mWp0Ul9es

EPIC will host a telephone #pressconference at 11:30 EST! pic.twitter.com/wQs5alIgAp — EPIC (@EPICprivacy) January 30, 2020

On Thursday, a Facebook spokesperson told Information Security Media Group: "We decided to pursue a settlement as it was in the best interest of our community and our shareholders to move past this matter."

Violation Of Biometric Law

In the lawsuit, consumers alleged that Facebook collected biometric face prints of its users - without consent - for its face tagging technology. This feature uses facial recognition technology to suggest names for people tagged in users' photos.

Lawyers for the consumers argued that Facebook never asked for or received permission from its users to collect this information, and that the collection violated Illinois' Biometric Information Privacy Act (see: Consumer Privacy: Reasons for Optimism As Well As Concern).

In 2019, Facebook announced that it would no longer turn on facial recognition by default, giving its users some additional privacy controls.

Under Illinois' Biometric Information Privacy Act, which has been in effect since 2008, companies are required to inform people if their biometric data is going to be collected. Organizations must also notify Illinois residents why this data is being collected, how long that data is collected, stored and used, as well as get written permission if biometric information is going to be shared with third parties.

The law covers a range of biometric data, including retina or iris scans, fingerprints, voiceprints and scans of hand or face geometry.

"Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation," says Jay Edelson of the Chicago-based law firm Edelson PC - one of three firm that brought the lawsuit in 2015. "We hope and expect that other companies will follow Facebook's lead and pay significant attention to the importance of our biometric information."

String of Lawsuits

The original lawsuit against Facebook for violating the Illinois biometric law was first brought in 2015 by Edelson PC. Later, two other law firms - Labaton Sucharow LLP and Robbins Geller Rudman & Dowd LLP - each brought their own legal actions on behalf of state residents who believed their rights were violated.

The cases were eventually consolidated and transferred to the U.S. District Court in San Francisco, and the three law firms jointly litigated the lawsuit over the last several years.

Facebook's attorneys argued that because the biometric data was stored out of state, the Illinois law did not apply in this case. The social media company also argued that the law should not apply because none of the litigants could prove any financial harm caused by the collection of biometric data, according to court documents.

During the five years that the case made its way through the courts, Facebook denied any wrongdoing.

The case went through numerous mediation sessions as well as legal appeals at the Ninth Circuit Court of Appeals and the U.S. Supreme Court.

Facebook acknowledged the lawsuit and the settlement it reached during its quarterly earnings call on Wednesday as well as within financial filings with the Securities and Exchange Commission.

Facebook announced fourth quarter revenue of about $21 billion and profits of $7.3 billion.

In July 2019, Facebook settled with the U.S. Federal Trade Commission and the Justice Department over allegations that it violated users' privacy when it allowed-third party firms to access personal data. That agreement, stemming from the Cambridge Analytica incident, resulted in a record-setting fine of $5 billion (see: It's Official: FTC Fines Facebook $5 Billion).

A judge must still approve the agreement announced Wednesday, paving the way to create a fund for the consumers that brought the case.

Other Lawsuits

Other lawsuits involving the collection of biometric data are also making their way through various courts. Earlier this month, ZDNet reported that a lawsuit had been filed against Clearview AI, a startup firm that has developed facial recognition software that is mainly sold to police and law enforcement.

As with the Facebook case, Illinois residents are claiming the company violated the state's biometric law by collecting data without permission, according to the report.