One of the biggest legal stories of 2020 barely made any headlines because, understandably, reporting on the COVID-19 pandemic and the presidential election dominated the news cycle. Mainstream attention on data privacy focused largely on the implementation and subsequent referendum expanding the California Consumer Privacy Act (“CCPA”), while the Schrems II invalidation of the GDPR Privacy Shield framework also gained widespread attention.
As a result, Facebook’s historic $650 million biometric privacy settlement under the Illinois Biometric Information Privacy Act (“BIPA”) attracted much less media fanfare. The settlement comes just a year after Facebook was hit with a record $5 billion fine by the Federal Trade Commission for deceiving users about users’ ability to control the privacy of their personal information.
Given the pace of current events, the lack of attention on this issue is not surprising, but it is unfortunate. Access to biometric data, including facial recognition technology, is one of the most important privacy issues attorneys will need to think about in the coming decades.
Facial Recognition Technology is No Longer Science Fiction
Facial recognition technology uses data to create a biometric map of the human face. Once the data is collected, algorithms analyze incoming images for unique facial features and dimensions to find a match, thereby attributing the new image to an individual.
Some estimates predict the facial recognition market will be worth nearly $9.6 billion by 2022. Facial recognition has already been tested at large public sporting events in the United States where attendees are admitted to the facility by facial authentication, rather than paper ticket or other methods.
Facial recognition requires a database of information to reference in order to make matches. For example, social media companies and smart phone applications easily obtain this information when users voluntarily upload their photos. Such companies and applications typically obtain the users’ consent to use the uploaded photos in a terms of service agreement. But studies consistently show the majority of users rarely read digital terms of service agreements.
Facebook Settles Facial Recognition Class Action for $650 Million
In late January 2020, Facebook announced it would pay $550 million to settle a BIPA class action suit over its use of facial recognition technology. In July 2020, the settlement was increased to $650 million.
Illinois was the first state to pass legislation aimed at protecting biometric data, enacting BIPA in 2008. Among other provisions, BIPA requires that consent be obtained prior to the collection of a user’s biometric data. Because BIPA contemplates $1,000 to $5,000 for each violation of the law, a verdict could have exposed Facebook to billions in damages. The $650 million settlement is likely the largest facial recognition case to date.
The litigation arose from Facebook’s “Tag Suggestion” service. This is essentially a photo-labeling service that suggests the names of individuals in photos. Facebook obtained this information from “tagging,” a practice where users identified themselves and others in photos. This information was put into a database and eventually Facebook had enough data to automatically recognize the faces of users and make suggestions of users to “tag” in new photos.
But Facebook isn’t the only application on your smartphone potentially harvesting your biometric data. Several other popular smartphone apps have been criticized for the improper use of facial recognition technology. Most recently, the Clearview AI app came under criticism by privacy advocates. Clearview AI “scrapes” publicly available photos from social media accounts. Clearview AI contracts with law enforcement agencies, and until May 2020, also sold this information to private companies. Clearview promised to voluntarily terminate all contracts with entities based in Illinois after it was also sued under BIPA. Apple also faces multiple lawsuits under BIPA. One involves facial recognition, the other focuses on voice biometrics.
Technology Companies Promise Reform
In response to these recent controversies, several of the largest technology companies have announced restrictions on their development of facial recognition technology. On June 8, 2020, IBM announced it would no longer develop facial recognition technology.
On June 11, 2020, Microsoft followed by announcing it would no longer permit law enforcement use of its facial recognition technology.
Biometric data, including facial recognition, may be the most significant new legal front for privacy advocates. Biometric systems are becoming more common across society, such as the fingerprint sensor on many smartphones, retina scanning, and voice recognition.
Notwithstanding the likelihood of future litigation and public policy proposals, there are several actions individuals can take now to protect their privacy. Anyone concerned about protecting biometric data should avoid apps that require uploading a photo of their face. Also, users can avoid tagging themselves and others in social media posts. Finally, users can review their privacy settings and disable most facial recognition features.
Unfortunately, reigning in the use of facial recognition technology by government agencies is not always so easy. Other governments, most notably China, paint an alarming picture of how biometric data can be abused by authorities in the absence of appropriate legal protections.
Several local jurisdictions already prohibit the use of facial recognition technology. Major cities such as San Francisco, Boston, and Oakland have adopted such laws. In June 2020 the Boston City Council voted unanimously to ban the use of facial recognition by police. Officials cited concerns including racial bias and misidentification. Other cities are going even further. Effective January 1, 2021, Portland, Oregon’s facial recognition-ban applies to both government agencies and private businesses.
BIPA may only attract a fraction of the attention garnered by other prominent privacy laws like CCPA and GDPR, but with more actions filed under BIPA each month, this often-overlooked Illinois statute will become harder to ignore in 2021. Just as importantly, other jurisdictions may follow Illinois’ lead by enacting similar laws in the near future.
Patrick McKnight is an Associate in the Litigation Department of Klehr Harrison Harvey Branzburg LLP in Philadelphia, Pennsylvania. He is a member of the firm’s Data, Privacy, and Cybersecurity practice group. The opinions expressed in this article are those of the author and not necessarily of Klehr Harrison Harvey Branzburg LLP or its clients.