Facebook — inarguably the world’s largest facial database — has a lost a federal appeal in a class-action lawsuit that claimed it illegally collected and stored biometric data of millions of users without their consent.

The lawsuit began in 2015 when Illinois-based Facebook users sued the company for violating the state’s Biometric Information Privacy Act (BIPA), which mandates that companies develop a public “written policy” before such data is collected and stored, and establish a retention schedule after which the said biometric identifiers will be destroyed.

Facebook’s contravention stems from its “Tag Suggestions” feature that lets you automatically tag your friends in photos uploaded to the service.

The technology analyzes the details of people’s faces in the photos — the distance between their eyes, their nose, and other features — to create a face template that can be used to identify them in other photos.

The plaintiffs argued the company’s facial recognition feature failed to meet the requirements of the law.

In a 3-0 decision, the 9th U.S. Circuit Court of Appeals in San Francisco — which has jurisdiction over Facebook’s headquarters in Menlo Park — unanimously rejected the company’s appeal to rescind the class-action lawsuit.

“We conclude that the development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests,” the court ruled in its decision.

Privacy advocates have long expressed concerns that facial recognition systems could be exploited for mass surveillance. The American Civil Liberties Union (ACLU) said “the decision is a major win for privacy rights, and recognizes the dangers posed by the increased use of face recognition technology.”

Now that the case can move forward, this could potentially cost the social media giant billions of dollars in damages if it loses. Reuters notes the lawsuit “could include 7 million Facebook users.”

Under BIPA, each user affected by Facebook’s unlawful biometric collection could be entitled to damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.

With big technology companies already scrutiny from regulators around the world over their data collection practices, the timing couldn’t be worse for the social network, which agreed to pay a record $5 billion fine to settle a Federal Trade Commission data privacy probe.

Read next: Facebook is courting publishers with multi-million dollar deals to launch its news tab this fall