Back in was February of this year, I was in Salt Lake City to deliver the keynote address at The Monitoring Association’s annual Technology Summit. The topic that day was “Artificial Intelligence in Security Systems: Preliminary Legal and Privacy Implications.” This is a topic that I have also addressed in this column (see, for example, “Privacy in the Age of AI and Biometrics” at www.securityinfowatch.com/21044726).
Among the points that I raised to the audience that day was the practice by Facebook and other technology companies – maybe even security companies as well – of harvesting and storing the biometric data of its users, particularly facial recognition data. As I delivered my presentation, I wondered aloud – jokingly – whether Facebook had captured my facial image and determined, through artificial intelligence, to market hair restoration products directly to me because I have thinning hair.
Seriously – nearly every advertisement that I see on Facebook is for hair transplants, hair gels, scalp regenerating tools, etc. As hair is a unique biometric identifier, I have no doubt that Facebook targets me based on my appearance.
Biometrics in the Courts
Not only is Facebook targeting its ads, but it is fighting very hard to protect its right to use biometric data to do so; in fact, Facebook has been fighting for years in court over the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS/14 and Public Act 095-994). In 2015, Facebook was sued under BIPA by a putative class of Illinois Facebook users who alleged that Facebook’s photo tag feature violates BIPA.
BIPA was the first law (and perhaps the strictest) in the United States protecting biometric data. Other states, such as Texas, Alaska, California, Idaho, Massachusetts, Montana and New York, have some form of statutory biometric protection, but none rise to the level of protections afforded by BIPA.
In particular, BIPA defines biometric data as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” It is not clear if “face geometry” extends to the hairline – which I jokingly suggest could be an ambiguity in the law.
Under BIPA, private entities are not permitted to “collect, capture, purchase, receive through trade or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless they follow certain procedures – such as obtaining prior notification and consent and developing a publicly available, written policy governing how long any biometric data will be retained.
The plaintiffs in the Facebook case took advantage of another notable aspect of BIPA – its private right of action. BIPA allows individuals to file a lawsuit for damages flowing from a violation of the statute. Damages range from $1,000 for each negligent violation to $5,000 for each intentional or reckless violation.
The Ruling and its Impact
On August 9, 2019, the U.S. Court of Appeals for the Ninth Circuit unanimously ruled against Facebook and held, among other things, that the class of Facebook users who sued for violation of BIPA have standing to sue even where they can show no individual harm.
In other words, a federal appeals court has determined that mere procedural violations of BIPA – such as the failure to obtain consent – may entitle individual users to a financial recovery as a matter of right. Given the statutory damages – particularly if the violation is deemed intentional or reckless – this is a substantial amount when aggregated in a class.
Among other things, the court found that the facial recognition feature “allows Facebook to create and use a face template and to retain this template for all time.” The court added that, “because the privacy right protected by BIPA is the right not to be subject to collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.”
Facebook may have the largest database of facial images – about 350 million images are uploaded every day; however, the holding of the appeals court is not merely a Facebook problem. Indeed, the decision also has significant ramifications for other companies, such as Google, Amazon and perhaps even your security company.
- Does your company collect biometric data?
- Does your company give advanced notification of such collections?
- Does your company obtain consent for such collections?
- Does your company have policies governing how long the data is stored?
You do not need to be Facebook or Amazon or Google to be subject to privacy laws – BIPA or others. You should not assume that BIPA is an outlier and that other states will not strengthen their privacy laws with respect to biometric data. You should not assume that plaintiffs’ lawyers will not target you and avail themselves of any statutes authoring a private right of action.
The trends are clear and the stakes are high. If you are gathering biometric data and you are not consulting capable counsel to ensure full statutory compliance with governing privacy laws, then you are at risk.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
