Facebook will pay $550 million to resolve claims it collected user biometric data without consent in one of the largest consumer privacy settlements in U.S. history, according to a statement Wednesday by lawyers for consumers.
The accord, which requires a judge’s approval, will avert a trial that may have exposed the social networking company to billions of dollars in damages. Facebook fought unsuccessfully to persuade the U.S. Supreme Court to derail the class action case. The users alleged that the company’s photo-scanning technology violated an Illinois law by gathering and storing biometric data without their permission.
Facebook didn’t immediately respond to a request for comment. The settlement was disclosed to investors on a quarterly earnings call.
While Facebook has weathered controversy over privacy almost since its inception, the company has come under particularly harsh scrutiny in recent years, both in the U.S. and in Europe. Facebook reached a historic $5 billion deal in July with the U.S. Federal Trade Commission to settle an investigation into its privacy practices stemming from the Cambridge Analytica scandal that came to light in early 2018. The company is also facing probes by New York, California, Massachusetts and others over its third-party data practices.
Consumer privacy cases in U.S. courts occasionally have succeeded in making internet companies change their policies, but have rarely triggered payouts of more than $10 million. The lawsuit over photo scanning was brought under the Illinois Biometric Information Privacy Act of 2008, the toughest laws of its kind in the U.S.
“Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation,” Jay Edelson, a Chicago-based lawyer representing consumers who sued, said in the statement.
Facebook has for years encouraged users to tag people in photographs they upload in their personal posts and the social network stores the collected information. The company has used a program it calls DeepFace to match other photos of a person.
Courts have struggled over what qualifies as an injury to pursue a privacy case in lawsuits accusing Facebook, Google and other internet companies of siphoning users’ personal information from emails and monitoring their web browsing habits. Suits over selling the data to advertisers have often failed.
Facebook contended that its collection of biometric data didn’t cause users to suffer any concrete injury such as loss of money or property. But a San Francisco federal judge rejected that argument, saying in 2018 that the alleged violation of the user-consent requirement in the Illinois law goes to “the very privacy rights the Illinois legislature sought to protect.”
Privacy advocates regard biometric data as especially sensitive because — unlike names, addresses, credit cards and even social social security numbers, which can be changed — scans of retinas, fingerprints, hands, face geometry and blood samples are unique identifiers.
U.S. District Judge James Donato allowed the case to proceed as a class action on behalf of millions of Illinois residents who had uploaded photos on the network since 2011. Facebook failed to get a federal appeals court or the Supreme Court to reverse Donato’s ruling.
Taking the case to trial would be risky because, under the Illinois law, the company could be fined $1,000 to $5,000 each time a person’s image is used without consent. If Facebook had lost it might have been forced to pay $6 billion, according to Matthew Schettenhelm, Bloomberg Intelligence litigation and government analyst.
More must-read stories from Fortune:
—The long ocean voyage that helped find the flaws in GPS
—Atari-themed hotel deal punctuates the gaming pioneer’s turnaround
—Into the ‘crucible’: How the government responds when GPS goes down
—This tech giant says A.I. has already helped it save $1 billion
—What is tech doing to protect the whistleblower’s identity? Not much
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.