Facebook to pay $650 million for violation of BIPA

In a recent settlement In re: Facebook Biometric Information Privacy Litigation, case number 3:15-cv-03747, the tech-giant Facebook, was ordered to pay $650 million for crossing the Illinois privacy law, formulated to protect the residents of the state from invasive privacy practices.

The Biometric Information Privacy Act (BIPA) came into effect in the year 2008 with the intent to address the increased risk of identity theft vide processing of biometric data. As per the legislators, when an individual’s biologically unique data is compromised, the individual is left with no recourse. Therefore, BIPA was enforced. Through the legislation, collection, usage and sharing of “biometric information” and “biometric identifiers” by “private entities” is regulated. Also, certain security requirements are imposed. BIPA imposes five obligations, namely, a) written retention and destruction policy, b) written release, c) prohibition against profiting (even with consent), d) restrictions on disclosure, and e) security requirements. The most significant feature of the legislation is its enforcement. Under BIPA, an individual can bring a private right of action which enables him/her to recover “for each violation” liquidated damages of $1,000 or actual damages for negligent violations and liquidated damages of upto $5,000 or actual damages for intentional or reckless violations. The legislation also provides for recovery of attorney’s fees and costs.

The suit against Facebook was first filed in the year 2015 under BIPA, wherein it was alleged that Facebook violated the provisions of BIPA through its practice of tagging people in photos using facial recognition technology without their consent. This violated the legislation because Facebook purportedly scanned facial geometry without obtaining written releases from the tagged individuals. The Ninth Circuit affirmed the class action and on appeal, the U.S. Supreme Court denied certiorari. Once the case was remanded to the district court in January, 2020, Facebook proposed a $550 million settlement. However, the same was rejected by the district court as it considered $550 million to be inadequate. Thereafter, the social media company proposed $650 million, which the court accepted. As a result of the settlement, 1.6 million residents of Illinois would receive a minimum sum of $345 as damages for using their “biometric information” without their explicit consent.

Similar lawsuits have been filed against Microsoft, Google and Amazon, whereby they have been alleged to be in violation of the same law. Further, in response to the class action, Facebook disabled its feature of automatic facial recognition tagging in 2019, making it an opt-in option instead. As is evident, Illinois privacy law, BIPA is a strong and remarkable legislation, which has pushed the tech companies to obey its provisions, thereby, protecting an individual’s privacy. It even targets the small companies which is evident from the class action against Clearview AI for its controversial facial recognition feature. Through BIPA, Clearview was forced to pull out of business in the state altogether. A strong legislation is one-step forward to regulate the privacy-invading activities of the tech companies. Also, the Illinois legislation has provided a framework for other states to adopt and adapt.

Leave a Reply