Court’s Biometrics Ruling Poses Billion Dollar Risk to Facebook, Google

January 28, 2019, 8:55 PM UTC
Human finger print as evidence of identity and as a password
Andrew Brookes/Getty Images/Cultura RF

The Supreme Court of Illinois on Friday ruled that an amusement park, Six Flags Great America, must pay damages to a boy for collecting his thumbprint without proper consent. The decision in the closely-watched case opens the door for the possibility of huge payouts in related cases against technology companies whose face-scanning policies breached a state law known as the Biometric Information Privacy Act.

In the Six Flags case, a mother named Stacey Rosenbach filed a lawsuit upon learning the amusement park scanned and stored her son’s thumbprint as part of its annual pass program. The case soon became a key test of the law, known as BIPA. The crucial issue is whether a person must show they suffered actual harm when a company collects biometrics without permission, or if it’s enough just to show that the act took place.

In a 7-0 ruling, the Illinois court agreed with Rosenbach that the purpose of the law, which provides for a $1,000 to $5,000 penalty, is to deter companies misusing consumers’ biometrics. This meant that Rosenbach’s son counts as an “aggrieved person” in the language of BIPA.

This ruling comes as a blow for Google and Facebook, both of which are ensnared in BIPA lawsuits of their own.

In the case of Facebook, consumers are claiming the social network scanned their faces without permission as part of a feature to “tag” friends and, in the case of Google, as part of a facial recognition service for Google Photos.

In the Facebook case, a judge agreed last year that an alleged lack of harm did not bar consumers from suing under BIPA, and that a proposed class action could go before a jury. Facebook appealed to the 9th Circuit Court of Appeals, and has been stalled for months pending the outcome of the Six Flags case. Now, according to plaintiffs’ lawyer Jay Edelson, the ruling on Friday amounts to a de facto victory.

“The Illinois Supreme Court went out of its way to make clear [the lower court] got the law right. We believe that Facebook’s appeal of that decision is effectively moot. We anticipate that the case will be remanded with instructions that the case gets tried immediately. Our whole team is very much looking forward to presenting our evidence in front of a jury,” Edelson wrote in an e-mail.

Facebook declined to comment on the implications of Friday’s ruling.

Justin Kay, a lawyer at the Chicago office of Drinker Biddle, who is not involved in the litigation, agreed the ruling spelled bad news for the tech companies.

“One of Facebook’s arguments is that the class should not have been certified because BIPA requires some showing of actual injury, and a court would have to inquire in the circumstances of each individual’s circumstances to identify that actual injury,” Kay wrote. “The Rosenbach decision appears to have foreclosed that argument, because the Illinois Supreme Court ruled that no actual injury is required under BIPA.”

The Illinois ruling also complicates a legal landscape that is already confusing when it comes to privacy rights. This confusion stems in part from a 2016 Supreme Court ruling called Spokeo, which turned on whether a data broker had violated the Fair Credit Reporting Act when it included false biographical information about individuals.

A divided court ruled that the data broker should not be liable because the individual who sued couldn’t show any real-world harm. But the decision left the door open for individuals to show harm in similar cases, and also side-stepped the question of how to interpret laws like BIPA, which provide mandatory financial penalties for technical privacy violations.

This uncertainty is likewise front and center in the BIPA lawsuit against Google. In a ruling in December, a federal judge sided with the tech giant, in part because the plaintiffs hadn’t shown they had been harmed by Google scanning photos without permission.

Friday’s ruling, however, casts the outcome of that case into doubt. According to Kay, the plaintiffs in the Google case have already filed a version of their BIPA claims in state court, where the issue of real world harm is no longer an obstacle.

If Facebook and Google ultimately lose the cases, the financial consequences could be enormous. BIPA’s penalties call for the $1,000 to $5,000 to be paid to every consumer—millions of them in these cases—per violation. The companies’ concern over the lawsuits was reflected in May 2016 when they led an unsuccessful lobbying push in Illinois’s state capitol to change the terms of BIPA to exclude their face scanning.

Kay says the potentially staggering amount of damages could actually help Facebook in its current appeal before the Ninth Circuit. He says one of the company’s arguments is that BIPA’s penalties are “so ruinous and out of proportion with any technical violation as to be unconstitutional.”

Today, numerous other BIPA lawsuits are percolating against dozens of other companies, including SnapChat and the photo album Shutterfly. According to Bloomberg Law, the cases are divided into those claiming illegal face-scanning and those alleging fingerprints or thumbprints were collected without permission.