When must companies receive permission to use biometric data like your fingerprints or your face? The question is a hot topic in Illinois where a controversial law has ensnared tech giants Facebook and Google, potentially exposing them to billions in dollars in liability over their facial recognition tools.
Google got a reprieve last week when a federal court found that a Google Photos tool, which scans faces in order to create galleries of the same individual, did not violate the law. In a 28-page ruling, U.S. District Judge Edmond Chang said Google did indeed scan faces without permission—but that the people affected didn’t suffer any harm and therefore didn’t qualify to collect under the law, which provides victims $1,000 to $5,000 per violation.
On its surface, the ruling is encouraging for Facebook, which lost a case last year over a “tag” tool that identifies faces when people post photos. Facebook is currently appealing the ruling, and using an argument akin to the one Google made: It’s not enough for someone to show their biometric data was used without permission; the person must also demonstrate some sort of harm.
So why the different rulings in the Facebook and Google cases? Part of the reason may lie in the different ways the companies used the scans. Google’s Photos tool only helps someone organize their own photos, while the Facebook “tags” identify people to third parties. But a bigger cause may lie in the ongoing fallout from an important 2016 Supreme Court decision, Spokeo v. Robbins, that attempted to define when people can sue over privacy violations.
In a blog post on the recent Google decision, law professor Eric Goldman described the Spokeo ruling as a “judicial clusterfuck” that has complicated courts’ attempts to make sense of the Illinois biometric law.
In Spokeo, the top court overruled a decision involving an identity broker service who misidentified several attributes of a man in its database. It found that a lower court had been too quick in concluding the man had suffered the necessary harm to bring a lawsuit, and sent the decision back for further review.
The lack of specific guidance from the Supreme Court has since produced ongoing confusion over what type of privacy violations can let people seek financial damages.
In the case of the Illinois biometrics law, the state’s Supreme Court is set to rule on a case involving fingerprints collected by Six Flags amusement park. The case turns on who counts as “aggrieved” under the statute. Privacy advocates say legislators wrote the law intending for anyone whose biometrics were used without permission to be considered “aggrieved,” while companies have insisted there must be some specific form of harm.
Jay Edelson, whose law firm is leading the class action against Facebook, believes Judge Chang’s ruling last week will not affect the case.
“We don’t think the Google ruling will have any significant impact. Everyone is waiting for the Illinois Supreme Court to rule and that will be a significant event,” Edelson tells Fortune by email, adding that he believes the Facebook photo tags are clearly a privacy violation covered by the law.
Facebook did not immediately reply to a request for comment about the case. Lawyers for the plaintiffs in the Google case declined to say whether they will file an appeal.
As companies expand the use of facial recognition and other biometrics, the legal controversies are unlikely to go away anytime soon. Those include those surrounding the Illinois biometrics law, which the tech industry lobbied unsuccessfully to change in 2016.
