Facial recognition software has grown exponentially over the past several years. It is used almost everywhere, from airports, shopping centers, law enforcement and even Facebook. Many states have also issued privacy laws protecting consumers from these types of invasions of privacy. For example, Illinois enacted The Illinois Biometric Information Privacy Act, which has been in the news lately. 740 Ill. Comp. Stat. 14/1 et seq. (2008). This statute requires companies to obtain written releases from individuals before collecting their “face geometry” and other biometric data.
A recent case demonstrates the strict application of this statute. In 2015, Illinois residents filed a complaint, in the District Court of the Northern District of California, alleging that Facebook’s photo-tagging feature violates the Illinois Biometric Information Privacy Act. Facebook moved to dismiss the Plaintiffs’ complaint for lack of standing and argued that these residents did not allege a concrete “injury” by this technology. While Facebook’s motion to dismiss was pending, the Plaintiffs moved to certify a class Under Rule 23 of the Federal Rules of Civil Procedure. The District Court denied Facebook’s motion to dismiss and certified a Rule 23(b)(3) class. Facebook appealed the district court’s ruling. The Ninth Circuit rejected Facebook’s argument and explained that use of facial technology “without consent invades an individual’s private affairs and concrete interests.” Patel et al. v. Facebook, Inc., No. 18-15982 (N.D. Cal. Aug. 8, 2019). Facebook then asked the Supreme Court to intervene. However, on January 21, 2020 the Supreme Court denied Facebook’s petition for certiorari and chose not to intervene. See Facebook, Inc. v. Patel, No. 19-706 (U.S. 2020). Since then, Facebook has agreed to pay $550 million to settle this class action for its use of facial recognition.
The Supreme Court’s decision not to hear the case is important to the future of the “injury-in-fact” requirement for class standing in privacy lawsuits. Courts appear to be recognizing that the loss of control over this personal and private information can cause harm, and thereby satisfies the standing requirements under Article III. And that tangible injury like “financial loss” is not the only type of injury, particularly in our growing and globally connected world. Technology companies that use this facial recognition technology with its customers can expect to be more susceptible to new litigation on this subject. Additionally, these companies should be prepared for some amount of forum shopping. Because there is no national standard on what constitutes an injury-in-fact in regard to privacy, it is likely that different courts will issue different rulings that may lead to inconsistent results.