May 25, 2016 -

Tag, You’re It! Facebook’s Sobering Lesson in Biometric Privacy

Facebook’s photo tagging suggestions feature (which prompts users to tag by name persons who appear in uploaded photos) may violate the little known Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq, otherwise known as BIPA. On May 5 a federal district court in California, applying Illinois law (after refusing to enforce a clause in Facebook’s user agreement that provides for California law to govern any litigation), denied Facebook’s motion to dismiss a class action suit under BIPA. In so doing, the court in In re Facebook Biometric Information Privacy Litigation held that the statute’s requirements extended beyond in-person scans and could also prohibit creating (without informed consent) representations of facial geometry from scanning digitized photos. Thus, BIPA has the potential to reach a wide variety of applications using image recognition technology.

BIPA requires a private entity possessing “biometric identifiers” or “biometric information” to develop a written publicly available policy which establishes a retention schedule and guidelines for permanently destroying the identifiers or information when the initial purpose for collecting or obtaining them has been satisfied, or within three years of an individual’s last interaction with the private entity, whichever comes first. The statute also requires the private entity to comply with this retention schedule and destruction guidelines.

BIPA defines a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” However, the statutory definition excludes “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” “Biometric information” means “any information, regardless of how it is captured, converted, stored or shared, based on an individual’s biometric identifier used to identify an individual.” In the Facebook litigation, Facebook argued unsuccessfully that the statutory exclusion for photographs meant that unique identifying facial geometric information derived from scans of uploaded photographs also fell outside the statute’s reach. However, the court interpreted the photo exclusion very narrowly, reading it to refer only to paper prints of photographs and not digitized images stored as computer files.

A private entity may not collect or otherwise obtain a person or customer’s biometric identifier or biometric information without first (1) providing written notice to the data subject or their representative that the information is being collected or stored and of the specific purpose and duration for which the information is being collected, stored and used, and (2) receiving a written release, defined as informed consent. Disclosure of biometric identifiers or biometric information, even when validly obtained, is also limited, and (unless required by law or by a valid warrant or subpoena) may only occur with the subject’s consent or to complete a financial transaction requested or authorized by the subject or their representative. The statute imposes a total ban on selling, leasing, trading or otherwise profiting from a person or customer’s biometric identifier or biometric information. Finally, BIPA requires private entities to use reasonable industry standard security measures in connection with storing, transmitting and protecting biometric identifiers and information from disclosure, and they must do so in a manner that is “the same as or more protective than” the manner in which they store, transmit and protect personal information like Social Security numbers, account numbers and PIN numbers.

A plaintiff’s remedies under BIPA include liquidated damages of $1,000 for a negligent violation and $5,000 for a reckless or intentional violation (or alternatively, in either case, the plaintiff’s actual damages, if greater), as well as reasonable attorneys’ fees for any BIPA violation and any other relief (such as an injunction) that a court may deem appropriate. Thus, there is a potential for significant liability if the provider of a widely used photo sharing website or app uses image or voice recognition technology in a certain manner to identify individuals.

The court in the Facebook litigation left open the possibility that additional fact development concerning Facebook’s actual technology and practices could affect the viability of the plaintiffs’ BIPA claims. Still, if it is upheld, the court’s narrow (and somewhat questionable) interpretation of the photo exclusion to apply only to traditional print photographs and not to computer files means that many Internet businesses will need to quickly develop compliant biometric privacy policies and practices (including procedures for obtaining informed consent, most likely outside of and in addition to their traditional privacy policies).

For any questions on how BIPA or biometric privacy may impact your business, please contact Andrew Baer (