May 9, 2019
Facebook’s Motion to Dismiss and for Summary Judgment were denied last week in: IN RE FACEBOOK BIOMETRIC INFORMATION PRIVACY LITIGATION in the N. District of California.
In that case, a putative class action was filed under the Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq. (“BIPA”), and the named plaintiffs allege that defendant Facebook unlawfully collected and stored biometric data derived from their faces. Facebook argued that plaintiffs failed to state a claim under BIPA and that a California choice-of-law provision in its user agreement precludes suing on an Illinois statute. The Court found that Illinois law applies and that plaintiffs have stated a claim under BIPA. Google currently is being sued under BIPA for using facial recognition and photo sharing, and Shutterfly just settled a similar case.
But facial recognition technology continues to expand. Retail stores are using surveillance that includes software able to recognize individual shoppers’ faces, and online educational courses can employ software that provides identity verification through facial recognition over a webcam. Google also announced at the beginning of the year that they are planning to eliminate passwords and replace them with user authentications via biometric readings. Wells Fargo is planning to let corporate clients sign in to its commercial banking app using either EyeVerify’s Eyeprint ID system or via a facial and voice recognition system; Wells Fargo also will use fingerprint authentication for non-business customers through its mobile banking app (of course, you know when you’re providing a fingerprint or an eye scan, and not necessarily so with facial recognition).
Because of the implications on individual privacy, biometrics including facial recognition might be overripe for industry (self-)regulation. In fact, a cross-industry group was recently convened by the National Telecommunications & Information Administration (NTIA) to find voluntary standards for businesses in their use of facial recognition technology. However, business interests and the lure of the goldmine that is data collection made business’ refusal to agree to seek consumer consent before employing biometric technologies an non-starter for privacy advocates; individuals representing the Center for Democracy and Technology, the Electronic Frontier Foundation, and the American Civil Liberties Union all withdrew in protest. The group continues to meet without privacy rights advocates, and currently its members are discussing a draft “Privacy Best Practices Recommendations for Commercial Facial Recognition Use.”
Ultimately, it seems to be in everyone’s interest to establish biometrics regulations. If business interests are starting to battle costly lawsuits and consumers and privacy interests are starting to feel threatened by undisclosed and unauthorized use of “faceprints,” we will waste time, money and technology advances as we wade through the legal muck. (But the lawyers might be happy, so maybe that’s an acceptable solution after all?)