SAN FRANCISCO — A class-action lawsuit that challenges Facebook's use of facial recognition and biometric data-collection software to identify people in user-uploaded photos is moving ahead following a recent order handed down by a federal judge in California.
U.S. District Court for California's Northern District Judge James Donato denied Facebook's motion to dismiss the case, taking to task Facebook's arguments its biometric information collection is a problem only if "real-world harms" are alleged.
"That contention exceeds the law," Donato wrote in his 10-page order signed Feb. 26.
"The Supreme Court has expressly recognized that the violation of statutory procedural rights in itself can be sufficient, without any additional harm alleged."
U.S. District Court Judge James Donato
Facebook had asked the court to dismiss the case, saying the plaintiffs had failed to state a claim and that the Illinois Biometric Information Privacy Act (BIPA) does not apply, according to the order.
The case before Donato originally had been three separate cases filed in federal and Illinois courts by named plaintiffs Nimesh Patel, Adam Pezen and Carlo Licata, which were consolidated into a single action last spring, according to the background portion of the order. Plaintiffs' allegation against Facebook arise from the social media giant's use of its "Tag Suggestions" software, launched in 2010, in which Facebook users identify or "tag" other users and non-users, which identifies them for upload, according to the order.
"In effect, the program associates names with faces in photos and prompts users to tag those people," Donato's order said. "Tag Suggestions uses 'state-of-the-art facial recognition technology' to extract biometric identifiers from photographs that users upload. Facebook creates and stores digital representations, known as 'templates', of people's faces based on the geometric relationship of facial features unique to each individual, like the distance between a person's eyes, nose and ears."
The three plaintiffs claim that Facebook is "secretly and without consent" collecting users' biometric data in violation of BIPA, the order said. The plaintiffs claim Facebook didn't inform them or other members of the class in writing that their biometric identifiers "were being generated, collected or stored," for what "specific purpose and length of time," the order said.
The plaintiffs also claim Facebook didn't "provide a publicly available retention schedule and guidelines for permanently destroying the biometric identifiers," a way for users to opt out or obtain users' written release to collect their biometric identifiers, the order said.
The plaintiffs are seeking "declaratory and injunctive relief and statutory damages," the order said.
In addition to legal arguments that were part of its motion to submit, Facebook provided the court with its user agreement and data policy, as part of its claim that it had "actually satisfied" BIPA notice and consent requirements, the order said. "While that may or may not prove true in the end, the salient point for present purposes is that notice and consent are inextricably intertwined with the merits of plaintiffs' claims," the order said.
Facebook also relied upon a number of precedential cases, including last year's Gubala v. Time Warner Cable in the U.S. Court of Appeals for the 7th Circuit, in which the plaintiff filed suit because Time Warner kept his social security number and other personal information, according to the order. "But that is of scant relevance here because BIPA expressly recognizes that social security numbers do not implicate the kinds of privacy concerns that biometric identifiers do," Donato said in his order.
"Biometric identifiers, as the Illinois legislature found, are unlike other unique identifiers such as social security numbers, because those, when compromised, can be changed."