Biometric surveillance by companies against consumers is a growing menace to our privacy, freedom of expression, and civil rights. Fortunately, a federal appeals court has ruled that a lawsuit against Facebook for its face surveillance may move forward.

The decision, by the federal Ninth Circuit about an Illinois privacy law, is the first by an American appellate court to directly identify the unique hazards of face surveillance. This is an important victory for biometric privacy, access to the courts for ordinary people, and the role of state governments as guardians of our digital liberty.

Illinois’ Biometric Information Privacy Act

The Illinois Biometric Information Privacy Act of 2008 (BIPA) is one of our nation’s most important privacy safeguards for ordinary people against corporations that want to harvest and monetize their personal information.

BIPA bars a company from collecting, using, or sharing a person’s biometric information, absent that person’s informed opt-in consent. BIPA also requires a company to destroy a person’s biometric information when its purpose for collection is satisfied, or within three years of the company’s last contact with the person, whichever is sooner. BIPA provides the strongest enforcement tool: a “private right of action,” meaning a person may file their own lawsuit against a company that violates their privacy rights.

The Illinois General Assembly explained, when passing BIPA, that “biometrics are unlike other unique identifiers” because they are “biologically unique to the individual.” As a result, “once compromised, the individual has no recourse, [and] is at heightened risk for identity theft.” Lawmakers also pointed out that the ramifications of biometric technology “are not fully known.”

In Rosenbach v. Six Flags (2019), the Illinois Supreme Court held that BIPA does not require a plaintiff to prove an injury beyond a violation of the statute itself. The court reasoned:

When a private entity fails to adhere to the statutory procedures, as defendants are alleged to have done here, the right of the individual to maintain their biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized. This is no mere “technicality.” The injury is real and significant.

EFF filed an amicus brief in Rosenbach in support of this outcome, along with the American Civil Liberties Union, ACLU of Illinois, the Center for Democracy and Technology, the Chicago Alliance Against Sexual Exploitation, Illinois Public Interest Research Group, and Lucy Parsons Lab.

Patel v. Facebook

In 2010, Facebook launched its “Tag Suggestions” feature. It uses face recognition technology to match known faces in user profile pictures and other photos to unknown faces in newly uploaded photos. If this face surveillance system generates a match, then Facebook will notify the person who uploaded the photo and suggest a “tag.” If that person accepts the tag, then the person in the photo will be identified by name. Facebook imposed this face surveillance system on users by default. To avoid it, a user must affirmatively opt-out, which most users won’t do.

This is an important victory for biometric privacy, access to the courts for ordinary people, and the role of state governments as guardians of our digital liberty

Facebook has migrated some of its users from its “Tag Suggestions” feature to its “Face Recognition” feature, according to the Federal Trade Commission’s recently filed consumer deception complaint against Facebook. The default remains application of face surveillance.

In 2015, Illinois residents filed a class action lawsuit in federal court called Patel v. Facebook. The plaintiffs allege that Facebook’s “Tag Suggestions” feature violates BIPA. They reason that this feature collects and uses their biometric information without their informed opt-in consent, and does not satisfy the statutory destruction deadline. Facebook removed the case from Illinois to California, where Facebook has its headquarters.

The Patel trial court denied Facebook’s motion to dismiss, and certified a class of Facebook users. The appellate court allowed Facebook to take an immediate appeal of the class certification decision.

“Standing” and Spokeo

The key issue on appeal in Patel was whether the plaintiffs had sufficiently shown that Facebook’s biometric surveillance caused them a concrete injury. The U.S. Constitution limits the federal courts to deciding “cases and controversies.” That means a plaintiff cannot sue a defendant unless they can show “standing,” meaning that the defendant has injured them in a concrete manner.

You’d think that when a company violates a person’s rights under a statute, and that statute provides that person a private right of action to sue that company, then that person automatically has constitutional standing. Unfortunately, you’d be wrong. In Spokeo, Inc. v. Robins (2016), the U.S. Supreme Court held that a person in such circumstances might or might not have standing. This depends, among other things, on the legal history of the particular statutory interest at issue. EFF filed an amicus brief in Spokeo (along with CDT, the Open Technology Institute, and the World Privacy Forum) arguing that standing in such cases should be automatic, but that view did not carry the day.

Spokeo can sometimes be a barrier to the enforcement of consumer data privacy laws. For example, when a company’s negligent data security practices cause massive breaches of consumers’ personal information, the company may argue that the injured consumers cannot sue based solely on violations of data security statutes. Rather, the company may argue, the Constitution also requires them to show a financial or physical injury, such as identity theft. This is one of the problems in our legal system that limited the recently proposed settlement of the Equifax data breach litigation. (Don’t forget to file your settlement claim against Equifax.)

The New Appellate Court Ruling in Patel

On August 8, a unanimous three-judge panel of the U.S. Court of Appeals for the Ninth Circuit held that the Patel plaintiffs have constitutional standing to sue Facebook for violating their statutory privacy rights under BIPA. In doing so, the appellate court forcefully explained the hazards of face surveillance and the importance of BIPA’s privacy protections.

The court presented centuries of history of U.S. legal protections for privacy, sounding in the common law and the Constitution. For example, in the context of the Fourth Amendment, the Supreme Court has repeatedly held that “advances in technology can increase the potential for unreasonable intrusions into personal privacy.” The appellate court cited the Supreme Court’s protection of the public from home-intruding heat detectors in Kyllo v. United States (2001), GPS location tracking in United States v. Jones (2012), cellphone searches in Riley v. California (2014), and cell-tower location tracking in Carpenter v. United States (2018).

The court held that “an invasion of an individual’s biometric privacy rights has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Quoting Carpenter, the court explained that biometric information is “detailed, encyclopedic, and effortlessly compiled.”

Most importantly, the appellate court explained the grave privacy threats posed by Facebook’s face surveillance:

Once a face template of an individual is created, Facebook can use it to identify that individual in any of the other hundreds of millions of photos uploaded to Facebook each day, as well as determine when the individual was present at a specific location. Facebook can also identify the individual’s Facebook friends or acquaintances who are present in the photo. Taking into account the future development of such technology as suggested in Carpenter, it seems likely that a face-mapped individual could be identified from a surveillance photo taken on the streets or in an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual’s cell phone. We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.

The appellate court also upheld the trial court’s certification of a class of Facebook users. Facebook reportedly plans to seek review by the full appellate court.

EFF filed an amicus brief in Patel regarding the privacy menace of face surveillance, along with the ACLU, its Illinois and California affiliates, CDT, and Illinois PIRG.

Lessons For Legislators

Especially after the new Patel decision, Illinois’ BIPA is one of the most important data privacy laws in the country. What lessons does BIPA hold for legislators who want to better protect their constituents from corporations that place their profits before our privacy?

First, a privacy law is only as strong as its enforcement tools, and the best enforcement tool is a private right of action. In many cases, government agencies can’t or won’t enforce a statute. So people must be free to protect their own rights by filing their own lawsuits.

Second, Congress must not pass a weak federal data privacy law that preempts stronger state privacy laws. Many big tech companies told Congress for years that they could self-regulate. Now some of them are asking Congress for regulation. What changed? They want to dodge Illinois’ BIPA and other state consumer data privacy laws, like California’s Consumer Privacy Act and Vermont’s data broker registration statute.

Thus, opposition to preemption and support for private enforcement are EFFs two most important demands, among our many proposals for new consumer data privacy legislation.

Next steps

The Ninth Circuit’s new ruling in Patel is a watershed in privacy law. It allows litigation to go forward challenging Facebook’s biometric surveillance of users absent their informed opt-in consent. It explains, more forcefully than any American appellate court opinion to date, the extraordinary privacy hazards of face surveillance. It holds that a loss of statutory privacy rights under Illinois BIPA is, by itself, a sufficient injury to show constitutional standing under Spokeo. And it clearly demonstrates the necessity of private rights of action, and why Congress must not preempt stronger state laws.

Most importantly, it shows what all of us must do now: contact our federal and state legislators, and demand that they enact strong consumer data privacy laws. Illinois BIPA, as strengthened by Patel, is a model for others to follow.