Last week, a federal district judge in California shot down Facebook, Inc.’s second attempt to dismiss a putative class action alleging that its facial recognition software violates the Illinois Biometric Privacy Act (BIPA). The court found that plaintiffs had standing to proceed under the U.S. Supreme Court’s ruling in Spokeo, Inc. v. Robbins because the alleged BIPA violation was sufficient to give rise to a “concrete injury” for purposes of bringing suit.

Plaintiffs, who are Illinois residents, originally brought three separate suits in Illinois state and federal courts, arguing that their statutory rights under BIPA—a unique state law that prohibits the use of an individual’s biometric data without consumer notice and consent—were violated by Facebook’s “Tag Suggestions” feature, which automatically stores profiles of users’ faces and then “tags” them in subsequently uploaded photographs. The suits have been consolidated and transferred to federal court in the Northern District of California where they are pending under the caption In re Facebook Biometric Info. Privacy Litigation.

Facebook initially moved to dismiss plaintiffs’ suit on the basis that its terms of service mandated that California law—instead of BIPA—applied to the claims. After losing that round in May 2016, Facebook took another stab at dismissal, arguing that plaintiffs lacked Article III standing because Facebook’s use of their biometric data was essentially harmless.

In his February 26, 2018 Order denying Facebook’s renewed motion, U.S. District Judge James Donato disagreed, finding that under Spokeo, the Illinois state legislature had the power in enacting BIPA to create a statutory right, the violation of which was sufficient to give rise to an injury-in-fact for purposes of standing: “BIPA vested in Illinois residents the right to control their biometric information by requiring notice before collection and giving residents the power to say no by withholding consent. As the Illinois legislature found, these procedural protections are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers – identifiers that cannot be changed if compromised or misused. When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air. . . . Consequently, the abrogation of the procedural rights mandated by BIPA necessarily amounts to a concrete injury.”

Plaintiffs’ suit will now head into discovery.

As we have previously blogged, other courts have come out the opposite way on the issue of BIPA standing. But Judge Donato’s ruling will no doubt open the door to other plaintiffs seeking to recover for BIPA violations, particularly as the use of increasingly-popular facial and voice recognition technology expands. Indeed, similar suits against Google and Shutterfly are currently pending.

Whatever the ultimate outcome of In re Facebook Biometric Info., organizations considering deployment of biometric technologies should be aware of BIPA and its strict notice and consent requirements. Failure to comply can be costly with fines of up to $5,000 per improper use of a person’s image.