Facebook faces yet another monstrous privacy headache in Illinois

Just as the Cambridge Analytica scandal re-emerged to heighten Facebook frustrations, the social media giant is contemplating a class-action lawsuit regarding facial-recognition.

It has been a tough couple of weeks for Facebook. With the ink still wet on a $5 billion FTC fine, the UK Government questioning discrepancies in evidence presented to Parliamentary Committees and a Netflix documentary reopening the wounds of the Cambridge Analytica scandal, the last thing needed was another headache. This is exactly what has been handed across to Mountain View from Illinois.

In a 3-0 ruling, the Court of Appeals for the Ninth District has ruled against Facebook, allowing for a class-action lawsuit following the implementation of facial-recognition technologies without consultation or the creation of public policy.

“Plaintiffs’ complaint alleges that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy,” the court opinion states.

“Because a violation of the Illinois statute injures an individual’s concrete right to privacy, we reject Facebook’s claim that the plaintiffs have failed to allege a concrete injury-in-fact for purposes of Article III standing. Additionally, we conclude that the district court did not abuse its discretion in certifying the class.”

After introducing facial recognition technologies to the platform to offer tag suggestions on uploaded photos and video content in 2010, Facebook was the subject to a lawsuit under the Illinois Biometric Information Privacy Act. This law compels companies to create public policy before implementing facial-recognition technologies and analysing biometric data, a means to protect the privacy rights of consumers.

Facebook appealed against the lawsuit, suggesting the plaintiffs had not demonstrated material damage, therefore the lower courts in California were exceeding granted responsibilities. However, the appeals court has dismissed this opinion. The lawsuit will proceed as planned.

The law in question was enacted in 2008, with the intention of protecting consumer privacy. As biometric data can be seen as unique as a social security number, legislators feared the risk of identity theft, as well as the numerous unknowns as to how this technology could be implemented in the future. This was a protectionary piece of legislation and does look years ahead of its time when you consider the inability of legislators to create relevant rules today.

As part of this legislation, private companies are compelled to establish a “retention

schedule and guidelines for permanently destroying biometric identifiers and biometric information”. The statute also forces companies to obtain permission before applying biometric technologies used to identify individuals or analyse and retain data.

Facebook is not arguing it was compliant with the requirements but suggested as there have been no material damages to individuals or their right to privacy, the lawsuit should have been dismissed by the lower courts in California. The senior judges clearly disagree.

But what could this lawsuit actually mean?

Firstly, you have the reputational damage. Facebook’s credibility is dented at best and shattered at worst, depending on who you talk to of course. The emergence of the Netflix documentary ‘The Great Hack’, detailing the Cambridge Analytica scandal, is dragging the brand through the mud once again, while questions are also being asked whether the management team directly misread the UK Government.

Secondly, you have to look at the financial impact. Facebook is a profit-machine, but few will be happy with another fine. It was only three weeks ago the FTC issued a $5 billion fine for various privacy inadequacies over the last decade, while this is a lawsuit which could become very expensive, very quickly.

Not only will Facebook have to hire another battalion of lawyers to combat the threat posed by the likes of the American Civil Liberties Union, the Electronic Frontier Foundation, the Center for Democracy &Technology and the Illinois PIRG Education Fund, the pay-out could be significant.

Depending on the severity of the violation, users could be entitled to a single sum between $1000-$5000. Should Facebook lose this legal foray, the financial damage could be in the 100s of millions or even billions.

From a reputational and financial perspective, this lawsuit could be very damaging to Facebook.

Court rules companies can be sued for collecting biometric data without consent

A reminder of how quickly the technology world evolves; it’s not only regulations which need to catch-up, but business practices too, as a Supreme Court opens the door for privacy lawsuits.

In an interesting case, the Supreme Court of Illinois has set precedent for its Biometric Information Privacy Act (BIPA). Companies who have not appropriately obtained consent from individuals before storing biometric data can now be sued under the BIPA without said individual being damaged, fraud for example, by the scenario. The ruling makes BIPA a dangerous piece of paper, as effective use of the Freedom of Information Act could put a few in precarious positions.

This case, Rosenbach versus Six Flags, has pinned a 14-year-old against the amusement park for collection and storage of thumbprint data without informed consent. The BIPA prohibits companies from gathering, using, or sharing biometric information without informed opt-in consent, though the issue which the Supreme Court has been considering is whether there are grounds for a lawsuit without damage being inflicted to the user.

“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act,” stated Chief Justice Lloyd Karmeier in his decision.

But why is this a dangerous decision for businesses locating or operating in Illinois? Because business practises are not keeping up with the tsunami of data which emerging, and many companies do not have fully visibility into the data which they hold.

One of the problems we saw in the build up to General Data Protection Regulation (GDPR) in Europe was an understanding of what data companies actually had their hands on. With the 21st century’s version of a land-grab seeing companies scrap for as much information as possible through the last decade, few companies actually managed to effectively store and categorize.

Before any company can consider calling themselves complaint (under GDPR, BIPA or any new data-orientated regulations) a full data audit would have to be completed; this discovery process was a critical step in the process. In conversations over coffee, a few consultants told us this was a significant issue for UK companies. During the audit, some were finding they were holding onto sensitive data, which they had no idea existed, and were in violation of data privacy and protection regulations.

BIPA is a no-where near as wide-ranging as some data protection and privacy regulations, though we suspect there will certainly be numerous companies who are now non-compliant under this new ruling and precedent. This is the issue with technology; it’s moving so much faster than the red-tape bureaucrats. Technology is implemented before regulations governing the usage, or business practises to ensure compliance, can be deployed. It creates a dangerous position where companies could be non-compliant without even realising.

In Illinois, as there no-longer needs to be proof of damages to individuals anymore, effectively placed Freedom of Information Acts could see similar cases brought in-front of the courts. In the rush to remain relevant through embracing technology, few have considered the boring aspect of regulation. Who would, considering how long it takes the courts to catch-up? But this is a case where being cutting-edge technology is a two-edged sword.