The Court in the Facebook BIPA Litigation Gets Serious About Protecting Consumers’ Privacy Rights

Earlier this year, we reported that Facebook reached a tentative $550 million settlement in a federal class-action litigation alleging a wrongful use of its facial- recognition technology on residents of Illinois. The settlement was lauded as the largest-ever cash privacy settlement won by class-action attorneys.

The lawsuit was brought under the Illinois Biometric Information Privacy Act (BIPA), which requires private entities to provide notice and obtain written consent before biometric information is collected, prohibits the sale of and restricts the overall disclosure of biometric information, and requires companies to follow a reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.  Plaintiffs alleged that they did not consent to having their uploaded pictures scanned with facial recognition software for purpose of “tag suggestions” and were not informed of how long the data would be saved when the mapping started in 2011.

At a recent hearing to preliminarily approve the settlement, the federal judge presiding over the case declined to approve the proposed deal and indicated that he many questions about it.

Specifically, the judge took an issue with the fact that under the settlement, the most a class member would recover is $300, but more likely $150, even though the BIPA provides for a $1,000-per-violation fine, even when the violation is not intentional.  Furthermore, the judge noted that the settlement did not address BIPA’s enhanced fines for  intentional or reckless violations, which he said might potentially be viable given that Facebook agreed to pay the FTC $5 billion for violations of the 2012 consent decree over its privacy practices.

As reported by Law360, the judge stated that the Illinois legislature said “loud and clear” that privacy rights are meant to be protected, that there’s a high price for violations, and the Facebook is “effectively taking a 99.75% discount on the amount that the . . . legislature said [should be paid].”

The judge also noted his concerns about how the settlement requirement for Facebook to delete its facial-recognition data would interact with the FTC consent order which already requires Facebook to do so.  The FTC also obligated Facebook to implement a comprehensive privacy program that promotes accountability and independence of privacy-related decision-making.  The judge ordered Facebook to give a presentation about how their business practices are changing and how the company is deleting the data.

Even though the Court might eventually approve the settlement, its stance at the hearing is a stark reminder that companies ignoring their obligations under privacy laws are doing so at their own peril.  With courts seeking to protect consumer privacy rights, even a record-setting settlement might not be enough for the defendant company to walk away from the privacy litigation.

 Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653