The U.S. Court of Appeals for the Ninth Circuit (‘the Ninth Circuit Court’) affirmed, on 8 August 2019, in Nimesh Patel et al v. Facebook, Inc. (‘the Decision’), the decision of a district court on the certification of a class of plaintiffs who alleged that Facebook’s facial recognition technology violated the Illinois Biometric Information Privacy Act of 2008 (‘BIPA’). The plaintiffs asserted that Facebook had violated Sections 15(a) and 15(b) of BIPA by collecting, using, and storing biometric identifiers from their photos without obtaining a written release or establishing a compliant retention schedule. Facebook, on the other hand, argued that the plaintiffs failed to demonstrate that they had suffered an injury-in-fact that is sufficiently concrete for purposes of standing.
Mary A. Smigielski, Partner at Lewis Brisbois Bisgaard & Smith LLP, told OneTrust DataGuidance, “The Decision can be distinguished due to the significant level of biometric collection involved and thus the level of alleged harm by Facebook […] The Ninth Circuit Court describes the facial recognition technology as being able to obtain information that are ‘detailed, encyclopaedic, and effortlessly compiled.’ This is vastly different than technology that acquires an image of points on a person’s finger, or even a fingerprint, particularly when the average person leaves their fingerprints on countless surfaces each day and the fingerprint technology typically cannot be reverse engineered […] The ‘harm’ analysis is fact dependant, and [the facts of the Decision] are different from the average case, akin to Basset v. ABM Parking Services, Inc., where a company merely used technology that turned points on a finger into an algorithm that cannot be reverse engineered.”
Further to the above, the Ninth Circuit Court addressed the question of whether the specific violations alleged actual harm or present a material risk of harm occurring from Facebook’s facial recognition software. The Ninth Circuit Court noted that facial recognition is used for photo ‘tag suggestions’ which enables Facebook to extract geometric data points that make a face unique, such as the distance between the eyes, nose, and ears, to create a face signature. In addition, it stated that the technology then compares the face signature to faces in Facebook’s database of user face templates, which are face signatures that have already been matched to the user’s profile. If these match, Facebook may suggest tagging the person in the photo.
The Ninth Circuit Court’s decision that a procedural violation of BIPA may be sufficient to confer standing is key for businesses
Lauren Steinhaeuser, Attorney at Faegre Baker Daniels LLP, told OneTrust DataGuidance, “The Ninth Circuit Court found that violations of BIPA’s statutory requirements ‘amounted to a violation of [plaintiffs’] substantive privacy rights,’ and, therefore, they ‘suffered a concrete injury’ sufficient to confer standing under Article III of the U.S. Constitution. The Ninth Circuit Court’s decision that a procedural violation of BIPA may be sufficient to confer standing is key for businesses, as it suggests liability in the absence of any actual harm to the individual.”
The Ninth Circuit Court outlined that requirements under Section 15 of BIPA include establishing a retention schedule as well as guidelines for permanently destroying biometric identifiers and biometric information. In addition, it stipulated that businesses must notify the individual in writing and secure a written release before obtaining a biometric identifier. Finally, the Ninth Circuit Court noted that businesses should be aware that in case of a violation of a regulation, BIPA also provides for actual and liquidated damages.
Steinhaeuser added, “Facebook argued that, because its collection of biometric data and its creation of face templates occurred on servers outside of Illinois, alleged violations of BIPA would have occurred outside of the state, and, therefore, each plaintiff would have to provide individual proof that alleged events occurred in Illinois such that common issues would not predominate. The Ninth Circuit Court disagreed with Facebook [and] inferred that the Illinois Government had expected that BIPA would apply to individuals who are located in Illinois, even if some relevant activities occurred outside of the state. Nevertheless, the Ninth Circuit Court did recognise that future decisions or circumstances may lead the district court to determine that individual cases may be appropriate, at which time the district court could de-certify the class.”
Lea Busch Privacy Analyst