Skip to main content

Facebook's $550M Biometric Settlement Is a Data Privacy Law Landmark

by Chris Brook on Monday February 3, 2020

Contact Us
Free Demo

The settlement, one of the highest in US history, is a testament to robust privacy legislation.

While it can be argued the figure is a drop in the bucket for Facebook, the fact the company settled a lawsuit last week accusing it of breaking a state's data protection law is still notable.

News of the $550 million settlement – which stemmed from a class action lawsuit around Illinois’ pioneering facial recognition technology law – was disclosed last Wednesday as part of its fourth quarter earnings report.

The class action suit, filed in 2015, alleged that Facebook, by processing and storing facial recognition imagery for US users without permission – essentially creating biometric templates of their faces, broke Illinois' Biometric Information Privacy Act, one of the nation's preeminent biometric privacy laws.

BIPA, passed 12 years ago - in 2008, regulates biometric data usage, limiting state-level protections regarding individuals' biological characteristics. Under the law, organizations must obtain prior consent from consumers, confirm how they'll use the data and how long it will be kept.

Facebook collects facial recognition data as part of its Tag Suggestions tool, which uses facial recognition software to suggest users tag other users in photos uploaded to the social network.

Facebook no doubt was upset the U.S. District Court for Northern California denied its motions to dismiss the case, namely that it shouldn't have been certified because the users didn't allege any harm beyond the company violating BIPA. A finding last year that many in the legal community thought lent more credence to BIPA found that individuals don't need to prove harm. Simply being found in violation of the act alone is enough to constitute standing.

Some legal scholars believe the settlement could be a bellwether for future privacy legislation.

"This case is a great example of how states can take the lead to protect their residents' privacy rights despite Congress' failure to do the same," Nathan Freed Wessler, staff attorney with the American Civil Liberties Union' told Law360, "Lawmakers nationwide should follow Illinois' lead."

According to Paul Geller, one of the attorneys that represented the Illinois Facebook users, the social media site has altered how its platform collects data on users in the state in wake of the lawsuit.

It’s still too early to know exactly how much Facebook users will net from the settlement. Some reports suggest users could see a couple of hundred dollars. A federal judge in San Francisco, where the court case now resides, still needs to approve the settlement.

Regardless, it's one of the highest payouts around a data privacy breach in US history. The sum surpasses the $425 million Equifax set aside to help victims affected by its 2017 data breach. Despite all this, the $550 million settlement, which will be awarded to eligible Illinois users and for the plaintiffs’ legal fees, is just seven percent of what Facebook earned last quarter, $7.3 billion.

Tags:  Data Breaches

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.