On January 29, 2020, Facebook agreed to a $550 million settlement in a class action suit filed under Illinois’ Biometric Information Privacy Act (BIPA). If approved by the California district court, the settlement will compensate Facebook users in Illinois for Facebook’s use of facial recognition technology known as “tagging” without their consent and in violation of BIPA. This significant settlement will likely spur future class action lawsuits related to biometric privacy, which have been steadily rising since the Illinois Supreme Court’s decision in Rosenbach v. Six Flags (discussed here) to hold companies liable for mere statutory non-compliance. Facebook’s settlement further emphasizes that companies need to comply with biometric privacy laws if they collect or store an individual’s biometric information.

In Patel v. Facebook, the case resulting in the $550 million settlement, Facebook argued that the BIPA violations did not occur “primarily and substantially” in Illinois, since its servers are located in California. However, the court disagreed and suggested that a consumer’s mere use of Facebook in Illinois made BIPA applicable. This extraterritorial holding from Patel, in conjunction with Rosenbach’s holding that statutory non-compliance is sufficient injury to bring suit, highlight that companies who do business with Illinois residents need to review their biometric data collection practices for compliance with Illinois’ law, even if they are not headquartered or located in Illinois.

BIPA governs how entities operating in Illinois collect, process, and use consumers’ biometric data. It requires these businesses to obtain explicit written consent from a consumer before collecting any biometric identifiers. BIPA also requires written notice to individuals when collecting or storing biometric identifiers and mandates disclosure of the specific purpose and duration for which that data are kept.