Annalisa Kolb

Associate Editor

Loyola University Chicago School of Law, J.D. 2023

On Friday, February 26, 2021, U.S. District Court Judge James Donato approved a 650 million-dollar settlement against tech giant Facebook for violating the Illinois Biometric Information Privacy Act. Chicago attorney Jay Edelson filed the class action lawsuit in 2015, alleging that Facebook had failed to obtain consent from users before using facial recognition technology to scan and digitally store uploaded photos.

The Judge stated that the settlement was one of the largest ever for a privacy violation, paying out at least $345 to every class member who filed for compensation. Judge Donato wrote in a statement that this case is “a major win for consumers in the hotly contested area of digital privacy.” The class includes any Facebook user located in Illinois, who has lived in Illinois for at least six months, and for whom Facebook created and digitally stored facial recognition data after June 7, 2011. The deadline to submit a claim was November 23, 2020.

Article III injury in privacy cases

Historically, it has been notoriously difficult to prove Article III’s “injury-in-fact” requirement in order to establish standing in privacy litigation. The Supreme Court has established the beginnings of a framework for analyzing Article III’s “injury-in-fact” requirement in two of its decisions. Specifically, in Clapper v. Amnesty International USA (2013), the Court held that the plaintiff’s anticipation or fear of a possible data breach was not concrete enough to establish injury, reasoning that injury must be “certainly impending” to constitute injury and may not be overly speculative. Later, in Spokeo, Inc. v. Robins (2016), the Court specified that a “risk of real harm” may be enough to establish injury-in-fact if the risk of injury is concrete and particular. The Court further explained that although a statute may provide a private right of action, there still must be an alleged concrete and particularized harm to establish standing. Concrete, however, does not necessarily require the harm to be tangible. The Court reasoned that because Congress may be better equipped to determine when the risk of potential harm is sufficiently concrete, statutory non-compliance could constitute the basis of an injury without plaintiffs establishing any additional harm beyond the one identified by the statute.

The Illinois Biometric Information Privacy Act and Facebook’s violation

The Illinois Biometric Information Privacy Act  (“BIPA”) was passed in 2008 to safeguard the security and safety of Illinois citizens in an environment where biometric identifiers are collected and used more and more frequently. The Illinois Legislature specifically recognized the unique sensitivity of biometric data as it cannot be changed if compromised and is as unique to a person as their fingerprint.             

BIPA requires that a company that collects a person’s biometric information obtains a written release from that person before collection, provides notice that data is being collected and stored, informs of the duration information will be stored, and for what purpose data was collected. BIPA provides a statutory private right of action to anyone who is “aggravated” under BIPA. The term “aggravated” has been a point of contention within courts, with some ruling that a violation of any aspect of BIPA is sufficient to establish injury. In contrast, others held there must be both a violation of BIPA and another independent claim of injury.

The Seventh Circuit applied Spokeo in Bryant v. Compass Group USA Inc (2020), where the plaintiff alleged that a vending machine owner violated BIPA by collecting her fingerprint without obtaining her written consent. The Court held that the violation of the plaintiff’s rights, the collection of her private biometric information, was sufficient to establish concrete injury without alleging any further tangible consequences.

Many separate cases were filed against Facebook, later consolidated in federal court, alleging Facebook violated BIPA by collecting biometric data without notice or consent through its “tag suggestions” feature. The “tag suggestions” feature detects faces on newly uploaded images, compares them to faces on past uploaded images, and gives you suggestions on who to tag in the new photo. Facebook sought to dismiss the case, arguing that the plaintiffs lacked standing as they only alleged that Facebook collected their biometric data in violation of BIPA without alleging any additional concrete tangible damages.

Implications of this decision

The District Court, in this case, had the job of deciding whether a statutory privacy injury was sufficiently real and concrete to establish injury-in-fact under Article III. The District Court rejected Facebook’s standing argument, holding that the Illinois Legislature created a right to privacy regarding personal biometric data. Further, BIPA violations cause actual and concrete harm sufficient to establish Article III’s “injury-in-fact”. The Ninth Circuit affirmed and the Supreme Court denied certiorari.

The implications of this decision on a corporation’s internal legal risk analyses are enormous, posing potentially billion-dollar risks to tech giants who collect biometric data. Plaintiffs have a considerable incentive to pursue BIPA violations in pursuit of similar multimillion dollar settlements without having to establish a financial injury. Ultimately, this case illustrates how an established and specific state law like BIPA protects consumers and may offer some peace of mind during a time when public concern over the implications of surveillance technology is growing. But is it enough?

Biometric data is highly sensitive due to its immutable nature. If an individual’s biometric data is compromised in a data breach, there is very little they can do to stop an adversary from potentially using that data in devastating ways. While BIPA requires consent and sets guidelines when collecting biometric data, it is not difficult to comply with and does not necessarily decrease the risk of a data breach. As long as data is stored and accessed on the internet, there is always a risk of a data breach and therefore risk of subsequent litigation. Corporations should seriously consider if collecting biometric data is worth the risk, even if they comply with BIPA.