Skip to main content

Facebook’s photo tag suggestions could violate Illinois law — and cost billions

A judge denied Facebook’s request to toss out a lawsuit arguing that photo tag suggestions breaks a state law against collection of biometric data — twice. The lawsuit has been ongoing since 2015 but in a ruling filed on April 16, Judge James Donato denied the social network’s request to throw out the lawsuit. Donato, a federal judge in San Fransisco, also denied the same request in 2016.

The lawsuit claims that Facebook is breaking an Illinois state law that prohibits collection of biometric data without written consent, called the Biometric Information Privacy Act, by collecting user facial recognition data used in tools like photo tagging. Three Illinois residents are the plaintiffs in the case, but the ruling could represent millions more in the state, according to NPR. Monday’s ruling only says that there’s enough information for the case to move forward.

The case claims that Facebook is breaking that law when using facial recognition on the platform for tasks like suggesting a friend to tag in a photo. Facebook presented several arguments to have the lawsuit thrown out, including the fact that the company’s servers aren’t located in Illinois. Facebook also says they only store “face templates” and not face signatures.

The lawsuit is looking for $5,000 for each instance of using facial recognition without permission — something that could cost the network billions, the judge suggests, even when limited to Illinois. The lawsuit encompasses biometrics stored after June 7, 2011, the day Facebook launched the tag suggestions tool. According to the ruling, an estimated 76 percent of the faces in images on Facebook can be recognized by the tagging suggestion tool.

A previous lawsuit didn’t make it past the same ruling to determine if the case had enough information, because the lawsuit sought compensation for every person in Illinois included in an image, not users that the platform had facial recognition tags for.

While the lawsuit has been ongoing for years, the judge’s decision to deny Facebook’s request for a dismissal comes as the social network is facing increasing scrutiny over third-party app access to data, obscure data policies, and opt out practices in the wake of the Cambridge Analytica scandal.

Editors' Recommendations

Hillary K. Grigonis
Hillary never planned on becoming a photographer—and then she was handed a camera at her first writing job and she's been…
The EU could hit Facebook with billions in fines over privacy violations
Facebook CEO Mark Zuckerberg

Facebook may be facing some hefty fines from the EU.
The European Union is reportedly nearing the end of its investigation into some of the cases it opened against Facebook under the EU’s General Data Protection Regulation or GDPR, the Wall Street Journal reports.
In total, Ireland’s Data Protection Commission, which is leading the investigation since Facebook’s HQ in Europe is in Dublin, has 11 cases against the social network.
Some of those cases have been finalized to a point where the Commission has passed along its final investigative reports. Decisions, along with any proposed fines and sanctions, are expected to be near completion by the end of September.
If you’re not familiar, GDPR is a set of data privacy laws in the EU designed to give EU citizens more control over their personal data and how it is collected, stored, and used.
The law went into effect on May 25, 2018. We wrote a detailed primer on the law that can help explain things.
Even though Facebook is based in the United States, GDPR laws apply to the company since its service is used by individuals in the European Union.
The cases against Facebook are among the first GDPR cases to involve companies based in the United States. The results of the case could ultimately have an impact on privacy laws and regulations in the United States as well.
Under the GDPR, fines for violations can be up to 4% of a company’s worldwide revenue for the preceding year. In the case of Facebook, that could reach to $2.23 billion.
The EU didn’t provide much information about which cases it was nearing completion on. However, it did name one case, which involves whether Facebook gives WhatsApp users sufficient information about what it shares with Facebook proper.
In July, Facebook settled with the Federal Trade Commission in the United States over privacy violations, a settlement that required the social network to pay $5 billion, the largest fine in FTC history.
While that fine is a lot of money, to put things in perspective, Facebook earned $16.6 billion in revenue during the first three months of 2019.

Read more
Facebook could pay another multibillion-dollar fine over facial recognition
Mark Zuckerberg Tagged

Facebook could have to pay yet another multibillion-dollar fine after losing an appeals court decision on Thursday regarding the company’s use of facial recognition data. 

The 3-0 decision against the social media giant in the Ninth Circuit Court of Appeals was over a 2015 class action lawsuit that claimed the company violated the Illinois Biometric Information Privacy Act, according to court documents.

Read more
Privacy group sues FTC, says $5 billion Facebook fine is chump change
Facebook CEO Mark Zuckerberg

Earlier this week Facebook settled with the Federal Trade Commission (FTC) over privacy violations to the tune of $5 billion, the largest fine in the history of the FTC. While certainly huge, one privacy group thinks that the $5 billion fine isn’t quite enough.
The Electronic Privacy Information Center, known as EPIC, filed a lawsuit against the FTC regarding the settlement on Friday, saying that it is "insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission.”
The group wants the FTC to “require Facebook to restore the privacy settings users had in 2009; give users access to all of the data that Facebook keeps about them; stop making facial recognition profiles without users' consent; make the results of the government privacy audits public; and stop secretly tracking users across the web.”
It also wants the amount of the fine to be increased. While $5 billion is a large amount, it is a small penalty for the $571 billion company.
“The proposed order wipes Facebook’s slate clean without Facebook even having to admit guilt for its privacy violations,” reads the group’s complaint to the FTC.
“EPIC supports the findings in the FTC Complaint and supports, in part, the directives contained in the Consent Order. The Order makes clear that companies should not engage in unfair and deceptive trade practices, particularly in the collection and use of personal data. However, the proposed Order is insufficient to address the concerns originally identified by EPIC and the consumer coalition, as well as those findings established by the Commission.”
Many other critics also felt the settlement didn't go far enough. The two Democrats on the commission voted against it -- with and one commission, Rohit Chopra, criticized it for not holding senior executives like CEO Mark Zuckerberg or COO Sheryl Sandberg personally accountable for the violations.
In addition to the $5 billion fine, the FTC is requiring Facebook to submit to new restrictions as well as a modified corporate structure that will hold the company accountable for decisions it makes about its user’s privacy.
While it certainly could have been higher, the $5 billion fine is almost 20 times higher than the largest privacy or data security penalty ever imposed worldwide, says the FTC and is one of the largest penalties ever assessed by the U.S. government for any violation.

Read more