Largest Privacy Settlement Won in Illinois Class-Action Litigation
By Michael A. Shapiro, Senior Counsel and Director, Data Privacy
This article was published on: January 31, 2020
On January 29, Facebook revealed that it has reached a tentative $550 million settlement of an Illinois class-action litigation alleging a wrongful use of its facial- recognition technology on residents of the state. The settlement will be the largest-ever cash privacy settlement won by class-action attorneys. It will also require Facebook to obtain consent from Illinois users for such functions as “face-tagging.”
The lawsuit (Patel v. Facebook, Inc.) alleged that plaintiffs did not consent to having their uploaded pictures scanned with facial recognition software for purpose of “tag suggestions” and weren’t informed of how long the data would be saved when the mapping started in 2011. The claim was brought under the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., which requires private entities to provide notice and obtain written consent before biometric information is collected, prohibits the sale of and restricts the overall disclosure of biometric information, and requires companies to follow a reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure. Facebook potentially faced up to $35 billion in damages in the lawsuit.
The main legal issue in the case was whether plaintiff suffered an “actual injury” or “concrete harm” sufficient to establish Article III standing to sue in federal court. Facebook argued that users lacked standing to sue because the mapping of their facial data did not cause them to lose money or suffer any economic injury. The Ninth Circuit Court of Appeals, however, concluded that the development of a face template using facial-recognition technology without consent invades an individual’s private affairs and concrete interests. The Court held that Facebook’s alleged violation of the BIPA statutory requirements necessarily violates plaintiff’s substantive privacy interests sufficient to establish standing in federal court. Earlier this month, the United States Supreme Court declined to take the appeal in the case.
The Patel decision, along with the Illinois Supreme Court ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, which held that failure to comply with the BIPA requirements subjects the defendant company to statutory damages and injunctive relief in the absence of plaintiff showing actual injury or adverse effect, raise the stakes for companies subject to the BIPA and other privacy statutes allowing for a private right action as non-compliance with the statutory requirements might result in claims for substantial damages.
Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653