In In re Facebook Biometric Info. Privacy Litig., (N.D. Cal. May 5, 2016), three named plaintiffs in a putative class action against Facebook claim that Facebook's Tag Suggestions program violates the Illinois Biometric Information Privacy Act (BIPA), which is intended to protect the public by regulating the collection and use of biometric data (740 Ill. Comp. Stat. 14/5). BIPA requires any organization that collects, captures, purchases, receives through trade, or otherwise obtains personal biometric identifiers or information to first:

(740 Ill. Comp. Stat. 14/15.)

BIPA, however, excludes certain types of data, including photographs, from its definitions of biometric identifiers and biometric information (740 Ill. Comp. Stat. 14/10).

Facebook's Tag Suggestions program allows users to scan uploaded photographs and then suggests names to use as "tags" based on the faces appearing in those photographs. The plaintiffs alleged that the program violated BIPA because Facebook did not:

The case is pending in California federal court based on a choice of forum provision in Facebook's terms of use. Facebook argued that the California choice of law provision in its user agreement precludes the plaintiffs from suing under an Illinois statute. The court ruled that, despite the parties' enforceable choice of California law provision, California rules required it to examine whether the laws of California (the parties' chosen state) are contrary to a fundamental policy of Illinois and, if so, whether Illinois has a materially greater interest in the issue. Finding that BIPA represents a fundamental policy of Illinois, and that California law and policy will suffer little if BIPA is applied, the court declined to enforce the California choice of law provision.

Facebook also argued that BIPA does not apply to its technology because it derives biometric data exclusively from scanned uploaded photographs, and the statute excludes photographs from its scope. The court rejected this argument.

Recognizing that the full ramifications of BIPA on newer technology like facial recognition is unknown, the court determined that BIPA's exclusion of photographs refers to paper prints, not digitized images that are stored and uploaded to the internet. The court declined to categorically exclude from BIPA all data collection processes using images, which would have undercut the statute since scanning biometric identifiers typically is based on an image or photograph. The court further distinguished between the use of photographs or images and the application of facial recognition algorithms to them, resulting in stored facial geometry data.

The court noted that it must accept the plaintiffs' allegations as true at this stage of the case but as the facts develop, distinctions between scans and photographs, or other fact issues, may emerge. Although this case is still in its infancy, counsel should be wary of its implications in interpreting contractual choice of law provisions in cases involving biometric data and the scope of BIPA. In the absence of federal privacy law, companies are increasingly subject to the patchwork created by the states and related case law.

For more information and best practices for organizations using biometric data, see Practice Note, Biometrics Litigation: An Evolving Landscape.