Facial Recognition Technology: Is it Legal?

April 4, 2016

The State of Illinois passed the Illinois Biometric Information Privacy Act (BIPA) which regulates the use of “biometric identifiers” or “biometric information” by private entities. A private entity may not obtain a person’s biometric identifier or information without first informing the subject that it is being collected or stored, informing the subject of the purpose for it being obtained, and receiving a written release by the subject.
There are several cases alleging that facial recognition technology violates this Act. An example of facial recognition technology is when a website recommends who to take in a photo when the picture is uploaded to a site like Facebook. In these situations, the website recommends who to “tag” in the photo based on its recognition of the facial features of each person in the photo as compared to other “tagged” pictures of the given person. Currently, there is a putative class action pending against Google based on Google’s cloud-based “Google Photos” service for “collecting, storing and using Plaintiff’s and other similarly situated individuals’ biometric identifiers and biometric information (collectively “biometrics”) without informed written consent, in direct violation of the BIPA.” This case is: Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Filed Mar. 1, 2016).
The Rivera case arises from users of Google “Droid” devices who take photos and upload them to “Google Photos.” This service has millions of “face templates” of Illinois residents stored in the Google cloud. What is frightening to the plaintiffs bringing this case is that they don’t have to be a member of “Google Photos” for their “face template” to be stored. Thousands of Illinois citizens are subject to this face template storage without ever being a user of Google Photos. Other people have uploaded these photos of non-users in turn putting their face templates at risk. Google did not obtain consent from the non-users to store this information. The complaint points out an even more frightening factor about this case.

Unlike Social Security numbers that can be changed when there is fraud, biometrics are unique to each individual, and once the biometrics are compromised, there is no way to simply change them.

Face templates are a unique and personal attribute to each and every individual just like one’s DNA. It belongs to that person, and only that person.
Even further, the effects of this case could be huge. The number of persons in this Class are likely to be in the tens or hundreds of thousands. The BIPA provides for a private right of action. The potential awards in this statute provide for $1,000 in damages for negligent violations of the statute, and $5,000 for each intentional or reckless violation of the statute. Multiply these possible damages by each plaintiff, and Google could owe tens of millions in damages.
Many questions arise because of this case. The courts must decide what are “biometric identifiers” and what constitutes “biometric information” under this statute. In addition, these cases will have to resolve why facial recognition technology fits within these statutory definitions. Courts have not yet litigated on this statutory interpretation in reference to facial recognition technology, and perhaps much of this case will depend on cases against Facebook (Gullen v. Facebook, Inc., No. 15-07681 (N.D. filed Aug. 31, 2015)) and Shutterfly.
A second important question is whether this information has the same ability as personal identifiers such as social security numbers to contribute to identity theft and fraud. Is the information so vital to these purposes that it is worth a potential multi-million dollar loss by Google, one of our nation’s most well known companies? Stores such as Wal-Mart have tested the benefits of this technology by using it to catch shoplifters. What if the information can also be used in a beneficial manner?
What we do know is that these cases have the potential for a huge impact on companies like Google and Facebook, and potentially on facial recognition technology as we currently know it. Will other states begin to implement these statutory rules, and if so, how will these companies fare?