In 2015, Facebook was sued for violating the Illinois’ Biometric Information Privacy Act (BIPA)[1] in federal court in California in a class action lawsuit brought on behalf of Illinois consumers.[2] The BIPA created a comprehensive set of rules for regulated companies that collect biometric data from Illinois residents. In general, these companies must implement a policy for: (1) informing those from whom biometric information is collected of the fact that the information is being collected and for what purpose; (2) obtaining consent from those whose biometric information is collected to the use of the information for the purposes described in the policy and any potential dissemination of that information to third parties; and (3) a publicly available “retention schedule” for the information.
The Complaint alleges that Facebook actively collected, stored, and used facial recognition profiles of more than one billion users without any written notice or informed written consent. The Complaint explains that around the year 2010, Facebook began implementing its “tag suggestion” feature, which utilizes advanced facial recognition software to automatically match users’ pictures with their names. Facebook’s software allegedly collected, analyzed, and compared the facial features in users’ uploaded photographs and saved a “face template” in Facebook’s database. As a result of this technology, whenever a user uploaded a photograph, Facebook’s “Tag Suggestions” compared the faces of any individual in that photograph to the face templates stored in the Facebook database. If there was a match, Facebook suggested that the user “tag” the person in the photograph with the appropriate name. The Complaint states that Facebook’s facial recognition database is so extensive that it dwarfs the facial recognition database maintained by the FBI.
The plaintiffs claim that Facebook’s violations of the BIPA were “intentional or reckless” was bolstered by Facebook’s 2019 settlement with the Federal Trade Commission in which it was to pay a $5 billion-dollar fine for its violations of a 2012 Consent Decree. The July 2019 settlement stemmed from allegations that Facebook had consistently misled its users regarding their privacy and personal information. Regarding these allegations, the FTC stated that Facebook began violating the 2012 decree in multiple ways “starting almost immediately” after the parties made the agreement.
Facebook attempted to settle the lawsuit, agreeing to a $550 million-dollar settlement with the class of Illinois consumers. The settlement required court approval. However, on June 4, 2020, Judge James Donato raised numerous issues with the proposed settlement.
The BIPA authorizes a $1,000 per-violation fine, and a $5,000 enhancement penalty for intentional or reckless violations. Accordingly, the maximum recovery for the class could have been $47 billion dollars. In light of this extreme potential liability, Judge Donato suggested that the proposed settlement of $550 million dollars, merely 1.25% of the amount the class might have been able to recover under the BIPAA, was insufficient. Judge Donato argued that a proper damages award would give sufficient deference to the Illinois legislature’s intent when determining the damages award for violations of the Act.
Judge Donato was also concerned that the agreement would release Facebook subsidiaries such as Instagram, WhatsApp, and Oculus VR from BIPA liability. None of these subsidiaries were defendants in the lawsuit and their inclusion in the release agreement raises questions regarding these entities’ compliance with data and consumer privacy laws. Finally, Judge Donato knocked Facebook’s proposed notice to potential class members, saying that it must be much more conspicuous so as to provide affected consumers adequate opportunity to file claims.
Judge Donato declined to approve the proposed settlement and ordered Facebook to produce relevant, informed personnel to explain how Facebook intends to amend its business practices with respect to consumer privacy. On July 23, 2020 Judge Donato conducted a hearing which included testimony from Facebook’s Face Recognition Product Manager. Thereafter, on August 19, 2020, Judge Donato preliminarily approved a revised version of the parties’ proposed settlement.
The class will include all Facebook users in Illinois for whom Facebook created and stored a face template between June 7, 2011, and August 19, 2020. Facebook is set to pay $650 million into a “non-reversionary cash fund.” Settlement administration expenses, taxes, class representatives’ incentive awards, and attorneys’ fee awards will be paid first. The remaining funds will be distributed on a pro rata basis to each class member who has timely submitted a claim. Class members are expected to receive an estimated $350 each.
The revised settlement also removes the release of Instagram, Oculus, and WhatsApp from BIPA liability. Facebook further agreed to set the default face recognition setting for users to “off,” and to delete existing and stored face templates for all class members. Facebook will also delete face templates for users who are inactive on the platform for three years or more.
The case has yet to be formally concluded, as individual objectors have taken issue with various aspects of the proposed settlement, ranging from the governing law, to the class size, to the propriety of the attorneys’ fees award. However, on January 14, 2021 Judge Donato conducted a hearing for final approval of the class settlement. Barring any last-minute changes, the $650 million settlement will be the largest data privacy settlement on record, eclipsing the $117 million Yahoo data breach settlement, the $195 million Home Depot data breach settlement, and the highly-publicized $380 million Equifax data breach settlement.[3]
To avoid BIPA liability, companies whose businesses involve the use and storage of Illinois residents’ personal information should obtain the guidance of experienced counsel. If you have questions about how to comply with the BIPA, or the adequacy of your business’ current policies, contact Joseph Messer at jmesser@messerstrickler.com or (312) 334-3440, or Luke Chamberlain at lchamberlain@messerstrickler.com or (312) 216-1218.
40 ILCS 14/1, et seq.
[2] Patel v. Facebook Inc., 3:15-cv-03747-JD (N.D. Cal.)
[3] The Equifax settlement value was calculated based largely on the value of the free credit monitoring services to which class members were entitled. The settlement provided for only $31 million in cash payments.