Biometrics, Privacy, and Facebook: Who is Tagging Who?

February 9, 2017

Beth is a twenty-five-year old who lives and works in New York City. She, like many of her peers, keeps in touch with her old friends and classmates via Facebook, one of the most well-known online social media and social networking services. After her birthday party, Beth logs on to Facebook to post pictures to memorialize the grand event. She uploads three photos of herself and a collection of her friends, and is prompted by Facebook to “tag” her friends, linking their profile to the pictures. When Beth goes to tag her friends in the photo, she finds that Facebook has already done it for her- Facebook gives her a suggestion for each face it identifies in the photo and asks “Is this (friend’s name)?” To Beth- and many other Facebook users- this technology might seem innovative and keen.

However, this feature– called ‘Tag Suggestions’ — is just one of the many instances of biometric technology being used, with or without our knowledge of its presence, in our daily lives.

While Facebook’s use of biometrics seems to serve the primary purpose of taking the leg-work out of tagging friends in photos, biometrics are used for much more than that. Biometrics first rapidly made their way into the mainstream as a means to help prevent identity theft and fraud. There are two main categories of biological measurements: physiological characteristics, which includes the shape or composition of the human body (such as fingerprints, DNA, facial measurements, vein patterns, retina or ear features); and behavioral characteristics, related to the pattern of the behavior of a person (such as typing rhythm, gait, gestures, and even voice).  The industry has now rocketed into the mainstream, with the biometrics market expected to be worth $32.7 billion by 2022. With new technology comes new legal problems, and some states have already attempted to combat rising concerns with biometrics through legislation. The most pertinent example is the Illinois Biometric Information Privacy Act (commonly known as BIPA), which was passed in 2008 in an effort to control how companies collect and use biometric identifiers. The law bans companies from collecting and storing a person’s unique biometric data without first obtaining permission and notifying the user.  Under BIPA, a prevailing plaintiff can recover actual or liquidated damages, as well as attorney’s fees and costs—providing some insight into the potential motivations behind a landmark upcoming biometrics privacy case: In re Facebook Information Privacy Litigation.
Three plaintiffs filed a complaint against Facebook, alleging that its use of biometric technology in its “Tag Suggestions” feature was done without their consent and therefore was a violation of BIPA. Facebook initially moved to dismiss the plaintiffs’ claim, stating that the plaintiffs agreed to Facebook’s choice-of-law provision (California) when they agreed to Facebook’s user agreement, rendering BIPA meaningless. The district court denied Facebook’s motion to dismiss, finding that while the user agreement was enforceable, California choice-of-law would not be enforced as it is contrary to Illinois’ fundamental policy. The district court found that “the plain language of BIPA indisputably evinces a fundamental privacy policy of Illinois,” and further that, if California’s laws were applied to this case, the Illinois policy of protecting its citizens’ privacy interests in their biometric data, especially in the context of dealing with “major national corporations” like Facebook, would be written out of existence, because California has neither legislatively recognized a right to privacy in personal biometric information nor has it afforded any type of private right of action for a violation of that right. While the case is still pending, this case adds flame to the fiery debate regarding biometric information and personal privacy.
As gleamed from in re Facebook, there are two contradictory debates circling the technology of biometrics as a method for gathering and storing personal facial information: first, the position that data is being collected without first obtaining an individual’s consent, thereby violating their rights to privacy; and second, the argument that BIPA unconstitutional prohibits interstate commerce by prohibiting businesses such as Facebook from using data it collects in states such as Illinois. Facebook takes the latter position: the social media giant said in its November 2016 answer to the plaintiffs’ amended class complaint filed in the U.S. District Court for the Northern District of California that the Illinois BIPA is unconstitutional as applied because it violates a well-established constitutional protection under the Commerce Clause… This constitutional protection limits a state’s ability to pass legislation that would improperly burden or discriminate against interstate commerce. Facebook said that not allowing it to use biometric analysis software to scan photographs posted by users from Illinois restricts its use of data used in commerce.
Both Facebook and the plaintiffs of this case seem to have prima facie persuading arguments- so who is correct? With regards to the potential for dissemination of personal information collected through biometric technology, consumers certainly have justification for concern. However, businesses also have a compelling interest in keeping up with new and updated technologies, in order to remain competitive and profitable. With the rise of biometrics not indicating any sign of halting, it will be interesting to see how the complexities of traditional privacy law and modern technology interact.