Facebook will face a class-action lawsuit with a payout potential of $35bn over how its photo tagging and facial recognition software works.
A US appeal court ruled yesterday that the antisocial network's attempts to bat away the sueball should fall accordingly, opening up Mark Zuckerberg's company to potentially billions of dollars in damages payouts.
Originally filed in Illinois, the class-action case alleged Facebook ignored a local privacy law in the state when it rolled out its facial recognition technology. The Zuckerborg's lawyers tried to argue that the local federal court had cocked up by letting the sueball roll on instead of throwing it out.
"Because a violation of the Illinois statute injures an individual's right to privacy, we reject Facebook's claim that the plaintiffs have failed to allege a concrete injury-in-fact for purposes of Article III standing. Additionally, we conclude that the district court did not abuse its discretion in certifying the class," ruled the appeal judges in a formal opinion filed on 8 August.
The people heading up the class action – Americans Adam Pezen, Carlo Licata and Nimesh Patel – claimed Facebook had breached their Illinois right to privacy by "collecting, using and storing biometric identifiers" from photos of their faces "without obtaining a written release and without establishing a compliant retention schedule".
Facebook argued in the appeal court that it had committed a technical breach of the Illinois law rather than a full-on "injury to a concrete interest" and said that meant the case ought to have been thrown out. It also argued that as far as the class action was concerned, "each class member would have to provide individualised proof that events in that class member's case occurred 'primarily and substantially within Illinois'".
Addressing this, the court pointed out that "the statute does not clarify whether a private entity's collection, use and storage of face templates" has to take place within Illinois, adding: "If the violation of BIPA [the local state law] occurred when the plaintiffs used Facebook in Illinois, then the relevant events occurred 'primarily and substantially' in Illinois."
Facebook told Reuters that it intends to appeal, with the newswire reckoning that 7 million Facebook users could be in line for a payout of between $1,000 and $5,000 each. The Vulture Central Payout-O-Matic calculator totals this as an absolute maximum of $35bn. ®
In a phone interview with The Register, Nathan Wessler, staff attorney with the ACLU’s speech, privacy and technology project, said Facebook could file a petition to have the full appeals court review the case or could seek a hearing before the US Supreme Court, though he considers that unlikely.
Facebook did not immediately respond to a request for comment.
The claim against Facebook relies on the Illinois Biometric Information Protection Act (BIPA), which differs from biometric privacy laws in Texas and Washington state in that it allows private individuals to file claims and seek damages.
“It’s a strong signal to other states and to Congress that privacy statues need to have private rights to action,” said Wessler. “I hope this will spur other states to follow Illinois’ lead.”
Every year, said Wessler, technology companies and their trade groups try to roll back BIPA, including the most recent legislative session. The effort, he said, fell apart when consumer groups got wind the lobbying campaign.
“I don’t think there’s momentum right now for the law to be amended or appealed but I’m sure they will try again,” he said.
Wessler said he doubted any fines levied against Facebook, if the case ultimately goes against the company, will be large enough to matter. “It’s hard to imagine it making a significant dent in its bottom line,” he said.
Nonetheless, he said he believes monetary damages are a deterrent. And he expressed optimism that legislators will attempt to address privacy issues. “There’s more momentum now than I’ve ever seen in my career working on these issues,” he said. “The odds are better now than they have been in decades, due to the raft of revelations about the terrible data privacy and security practices of the technology companies that touch all our lives.”