Facebook faces huge damages risk as Ninth Circuit allows privacy suit over facial recognition to go forward

Facebook must defend privacy litigation over facial recognition technology that puts the company at risk of billions of dollars in damages, following a US appeals court’s affirmation today of two lower court decisions that the plaintiffs have standing to sue and that the massive potential damages can’t obviate certification of a victims’ class.

The unanimous decision by a three-judge panel on the US Court of Appeals for the Ninth Circuit in San Francisco affirmed earlier rulings by US District Judge James Donato in a lawsuit alleging Facebook’s use of facial recognition without consent violated the Illinois Biometric Information Privacy Act, BIPA. Facebook said it will continue the appeals process.

"Because the privacy right protected by BIPA is the right not to be subject to the collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests," US Circuit Judge Sandra Ikuta wrote in the decision. "Accordingly, we conclude that the plaintiffs have alleged a concrete injury-in-fact sufficient to confer Article III standing."

"Facebook’s alleged collection, use, and storage of plaintiffs’ face templates here is the very substantive harm targeted by BIPA," the court said.

"Because we conclude that BIPA protects the plaintiffs’ concrete privacy interests and violations of the procedures in BIPA actually harm or pose a material risk of harm to those privacy interests," Ikuta wrote, "the plaintiffs have alleged a concrete and particularized harm, sufficient to confer Article III standing."

In the 24-page decision, Ikuta drew a historical line back to the birth of common law privacy rights in the US in an 1890 article by Louis Brandeis, and concluded the development of 21st Century computer technologies like facial recognition must be subject to the same legal standards as those that governed pre-Internet technologies.

The decision also relied on the Supreme Court’s 2016 ruling in a privacy case involving the people search-engine Spokeo, in which the high court said plaintiffs must allege they have suffered a “concrete” and “particularized” harm to gain standing, but that the claimed harm could be an intangible, non-economic one.

“In light of this historical background and the Supreme Court’s views regarding enhanced technological intrusions on the right to privacy, we conclude that an invasion of an individual’s biometric privacy rights ‘has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts,’ ” Ikuta wrote, quoting the Spokeo case.

Other tech companies, including Google, have faced similar litigation that alleges the use of facial recognition without user consent violates BIPA. Google won at the district court level in the Northern District of Illinois, but it has taken the unusual step of appealing that win to the US Court of Appeals for the Seventh Circuit, seeking an order to end the case permanently.

Jay Edelson, who heads the Edelson law firm, which is representing the plaintiffs, said the Ninth Circuit ruling could clear the way for the most significant and largest consumer privacy case ever to be tried in front of a jury.

"Facebook has essentially made a gamble of as much as tens of billions of dollars that it could escape liability on mainly technical grounds," Edelson said. "We are excited to present our case to a jury."

In a statement from a spokesman, Facebook said it plans to "seek further review of the decision. We have always disclosed our use of face recognition technology and that people can turn it on or off at any time.” Facebook can ask the Ninth Circuit to rehear the appeal en banc, and if that fails, to ask the US Supreme Court to review the case, or skip the en banc rehearing and directly appeal to the Supreme Court.

Facebook said in oral argument in June before Ikuta, US Circuit Judge Ronald M. Gould and US District Judge Benita Pearson of the Northern District of Ohio that Donato’s twin decisions to allow the facial recognition suit to move forward were incorrect because the plaintiffs couldn’t show harm, because common issues didn’t bind the class, and that a possible damages award in the billions of dollars was never intended by the Illinois state legislature when it passed BIPA in 2008.

But in today’s ruling, Ikuta wrote the size of the potential statutory damages to Facebook in BIPA, which could be more than $1,000 for each of the millions of Facebook users in the state of Illinois, did not stop Donato from certifying the class.

“Where neither the statutory language nor legislative history indicates that the legislature intended to place a cap on statutory damages, denying class certification on that basis would ‘subvert [legislative] intent,’ ” Ikuta wrote, citing a 1974 antitrust case involving potential liability of $750 million. “Here, nothing in the text or legislative history of BIPA indicates that a large statutory damages award would be contrary to the intent of the [Illinois] General Assembly. Therefore, the district court did not abuse its discretion in determining that a class action is superior to individual actions in this case.”

Facebook, which did not immediately reply to a request for comment, has been using its “Tag Suggestions” feature since 2010. The company creates mathematical templates of its users’ facial geometries to allow people to easily tag their friends using Facebook’s vast facial template databases. Those facial templates are stored in data centers in Oregon, California, Iowa, Texas, Virginia and North Carolina, as well as outside the US.

Facebook also argued the case couldn’t proceed because BIPA is a state law and none of the data centers where facial templates were processed were in Illinois. Therefore, the state’s extraterritoriality doctrine precluded Donato from certifying the class, Facebook argued.

“We disagree,” Ikuta wrote.

“The parties’ dispute regarding extraterritoriality requires a decision as to where the essential elements of a BIPA violation take place,” the judge wrote. “The statute does not clarify whether a private entity’s collection, use, and storage of face templates without first obtaining a release, or a private entity’s failure to implement a compliant retention policy, is deemed to occur where the person whose privacy rights are impacted uses Facebook, where Facebook scans photographs and stores the face templates, or in some other place or combination of places.”