Here’s what we know: Every time you tag a friend in a Facebook photo, Facebook stores their image in its database. And here’s what we’re about to find out: whether that’s an illegal violation of users’ privacy.

On Thursday, a class-action lawsuit alleging that the world’s largest social network is violating its users’ privacy will enter phase two, Bloomberg reported. Specifically, a San Francisco court will assess whether Facebook is breaking the law by using its facial-recognition tool, to identify faces in photographs uploaded by users, or by collecting those photographs into a central database.

In use since 2010, Facebook claims its facial-recognition tool is now 97.35% accurate, which is great news if you’re trying to tag overcrowded party pictures, but less so if you’re worried about privacy. Plaintiffs in the case are concerned on a number of fronts: Facebook could be selling identifying information to retailers or other third parties. More importantly, they worry that biometric data is just as susceptible to theft, hacking, and the long and invasive arm of law enforcement as other types of data.

“Unique and unchangeable biometric identifiers are proprietary to individuals,” the complaint reads (paywall). It also alleges that Facebook failed to acquire consent before collecting “faceprints.”

The class-action suit hinges on a unique Illinois law passed in 2008, called the Biometric Information Privacy Act. It states that if companies fail to get consent from users before storing biometric information, they can be subject to a $5,000 fine, plus $1,000 in damages if the violation shows negligence. That’s per violation. For a company with 7 million users in Illinois, that could mean fines as high as $35 million.

There is some precedent here. In April, photo-sharing website Shutterfly reached a settlement over its facial-recognition technology. Snapchat faced a similar suit over the summer, but has denied storing any biometric information (the company says it uses “object recognition,” not facial recognition). Alphabet’s cloud-based Google Photos service also uses similar technology, and Google is facing privacy lawsuits of its own.

A Google spokesperson declined to comment on pending litigation.

So far, Facebook and Google have insisted that gathering data on what you look like isn’t against the law, even if it’s done without your explicit permission. Facebook says the current class-action lawsuit should be dismissed because there is no proof of actual damage, such as someone losing their job or a relationship being harmed because of embarrassing or compromising photos getting out. Still, a judge in May allowed the case to proceed.

If the court sides with Facebook, it could save the social network millions of dollars, and establish an important precedent. The alternative? Facebook has to compensate millions of people who uploaded photos while living in Illinois, update its privacy policies, prepare for the possibility of more lawsuits, and maybe even face new or stricter laws regarding biometric data. For proof, look no further than Europe, where photo-tagging no longer uses facial-recognition technology.

Correction: An earlier version of this story incorrectly referred to Facebook’s facial-recognition technology as “DeepFace” and suggested it had been in use for more than a decade. DeepFace is the name of a research paper about the technology, published by Facebook in 2014. Photo-tagging has been available on Facebook since 2005, but the deep learning that powers facial-recognition has been in operation since 2010.