A 2015 lawsuit brought by Facebook users over the company’s alleged unauthorized collection of their facial features and other facial biometric data pursuant to the Illinois Biometric Information Privacy Act (“BIPA”) is slowly moving through the courts. The BIPA requires written notice and consent for the collection of biometric identifiers or biometric information of Illinois citizens. According to the complaint, filed August 17, 2015 in the United States District Court for the Northern District of California, Facebook through its Tag Suggestions technology automatically extracted biometric identifiers from their uploaded photographs and previously tagged pictures and stored these biometric identifiers in a database without the consent of the users.

In a December 8, 2017 motion for summary judgement, Facebook argued neither Illinois law nor the federal Constitution permits the application of BIPA to conduct that took place outside Illinois. Facebook asserted it performs its facial-recognition analysis on its servers located outside of Illinois. Additionally, the company argued that the application of BIPA in this case would violate the U.S. Constitution’s dormant commerce clause, which bars state regulation where the “practical effect” is to control conduct in other states.

Also on December 8, 2017, the plaintiffs filed a motion for class certification addressing the above issue, arguing the legislative intent behind BIPA reveals the Illinois legislature intended BIPA to protect the right to privacy of Illinois citizens in their personal biometric data, in particular with regard to interactions with “major national corporations” and “private entities doing business in Illinois.” The plaintiffs also cited case law demonstrating states can regulate commerce when at least one party is located in that state. Additionally, they argued “activity that occurs on the Internet is not immune from state-level regulation if the defendant can identify where an individual is located.” They contend that Facebook has the ability to identify where individuals are located.

Facebook sought to dismiss the suit in June of 2016, filing a motion to dismiss arguing the users have no standing because the above mentioned data collection caused no harm to the plaintiffs. The plaintiffs argued in their November 2017 response that they indeed had standing because their rights protected by BIPA were concrete rights and not procedural. They further asserted that Facebook may be able to debate the harmed caused, but the facts alleged were sufficient enough to sue.

Takeaway: Using the Illinois law, the plaintiffs’ bar is targeting scores of companies regarding the collection and use of certain biometric identifiers, including fingerprints. Companies doing business in Illinois or with Illinois residents should evaluate whether they need to modify their procedures in order to comply with the law.