Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Unique Illinois Privacy Law Leads to $550M Facebook Deal

Adam Pezen, Carlo Licata and Nimesh Patel are among millions of people who have been tagged in Facebook photos at some point in the past decade, sometimes at the suggestion of an automated tagging feature powered by facial recognition technology.

Adam Pezen, Carlo Licata and Nimesh Patel are among millions of people who have been tagged in Facebook photos at some point in the past decade, sometimes at the suggestion of an automated tagging feature powered by facial recognition technology.

It was their Illinois addresses, though, that put the trio’s names atop a lawsuit that Facebook recently agreed to settle for $550 million, which could lead to payouts of a couple hundred dollars to several million Illinois users of the social networking site.

The lawsuit — one of more than 400 filed against tech companies big and small in the past five years, by one law firm’s count — alleges that Facebook broke Illinois’ strict biometric privacy law that allows people to sue companies that fail to get consent before harvesting consumers’ data, including through facial and fingerprint scanning. Privacy advocates hail the law as the nation’s strongest form of protection in the commercial use of such data, and it has survived ongoing efforts by the tech industry and other businesses to weaken it.

Attorneys who focus on privacy law predict that the Facebook settlement — if approved by a federal judge — will trigger a new round of lawsuits and make the targets of existing ones more likely to settle. Illinois’ legal landscape also could shape debates over privacy protection in other states and in Congress, particularly about whether individuals should have the right to sue over violations.

“We’re going to see a lot of constituents saying, ‘Why not me?’” said Jay Edelson, a Chicago attorney whose firm first sued Facebook for allegedly breaking Illinois’ law. “This settlement, it’s going to really make the point that having laws on the books is the difference between people getting to go to court and getting real relief, and otherwise just getting trampled by these tech companies.”

Although the buying and selling of consumer data has become a multi-billion-dollar industry, Illinois’ law — the Biometric Information Privacy Act — predates even Facebook’s iconic “like” feature and was a reaction to a single company’s flop.

Pay By Touch, a startup that teamed with grocery stores to offer fingerprint-based payments, had gone bankrupt and was expected to auction off its assets, including its database of users’ information. Worried about where that user data would wind up, Illinois lawmakers quickly passed a law in 2008 requiring companies to get consent before collecting biometric information and to create a policy specifying how that information will be retained and when it will be destroyed.

It also gave Illinois residents the right to sue for $1,000 over negligent violations and $5,000 for intentional violations.

Advertisement. Scroll to continue reading.

For years, “literally nothing happened,” said John Fitzgerald, a Chicago attorney and author of a book on the law that is due out this year. He couldn’t find any record of a case filed before 2015.

Edelson’s firm and others that focus on class-action suits were first, accusing Facebook of failing to meet Illinois’ standard in multiple lawsuits filed in 2015. The three Illinois men fronting the class-action suit against Facebook said they were never told that the site’s photo tagging system used facial recognition technology to analyze photos then create and store “face templates.”

A federal judge later grouped the cases together as a class-action on behalf of Illinois Facebook users who were among the stored face templates as of June 7, 2011.

Facebook only changed the technology last year. The tag suggestion tool was replaced a broader facial recognition setting, which is turned off by default.

The Illinois law is the basis for two recent suits filed against Clearview AI, a facial recognition company that harvests images by scraping social media sites and other places and then sells access to its database to law enforcement agencies.

Facebook, Twitter, Venmo and YouTube have all demanded that Clearview stop harvesting their users’ images following investigative reports by The New York Times and Buzzfeed.

Although there are Illinois lawsuits against other major tech companies, including Google, Snapchat and Shutterfly, the vast majority of the cases are filed on behalf of employees who were directed to use fingerprint scanning systems to track their work hours and who accuse employers or the systems’ creators of failing to get their prior consent.

Illinois is one of three states that have laws governing the use of biometric data. But the other two, Texas and Washington, don’t permit individual lawsuits, instead delegating enforcement to their attorneys general.

The state’s Chamber of Commerce and tech industry groups have backed amendments to gut Illinois’ allowance of individual lawsuits or exempt time-keeping systems.

Illinois’ law puts “litigation over innovation,” said Tyler Diers, the Illinois and Midwest executive director of the industry group TechNet, whose members include Apple, Facebook and Google.

“This case exemplifies why consumer privacy law should empower state regulators to enforce rather than line the pockets of class action attorneys,” Diers said in a statement.

Facing Illinois’ law, some companies opt out of the state. Sony, for instance, refuses to sell its “aibo” robot dog to Illinois residents and says the device’s ability to behave differently toward individual people depends on facial recognition technology.

Backers of the law argue that it’s not difficult to comply — simply tell consumers you plan to use biometric data and get their consent.

State Rep. Ann Williams, a Chicago Democrat, said the ability to sue is critical for consumers facing global companies that make billions of dollars per year.

“If the penalty’s only a fine, that’s the cost of doing business for them,” Williams said. “A settlement like (the Facebook case), we’re talking about real money that will go to consumers.”

Attorneys who defend smaller companies, though, argue that the law should be narrowed to permit the use of fingerprint scanners to track employees’ hours.

“Small and medium-size businesses really do not have the resources to defend these cases or pay some big settlement,” said Mary Smigielski, a partner at Lewis Brisbois Bisgaard & Smith and a co-leader of the firm’s group focused on Illinois’ biometric law.

The Facebook case wound through courtrooms in Illinois and California for nearly five years before last month’s announcement of a settlement, days after the U.S. Supreme Court declined to hear arguments.

Edelson said he hopes that the $550 million deal, which lawyers on the case described as a record amount for a privacy claim, will put pressure on attorneys to refuse credit monitoring or negligible cash payouts that are more typical in agreements to resolve data privacy suits.

People eligible for the settlement will be contacted directly and don’t need to take any action until then, attorneys on the case said.

RelatedFTC Fines Facebook $5B, Adds Limited Oversight on Privacy

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...