The unanimous decision was made by the 9th US Circuit Court of Appeals in San Francisco.
The class action lawsuit was brought by Illinois Facebook users in 2015, who accused Facebook of having collected biometric data from its users in violation of Illinois’ 2008 Biometric Information Privacy Act.
According to the lawsuit, Facebook was able to gather this data via the ‘Tag Suggestions’ feature, which identifies Facebook users in newly uploaded photos from previous photos they have been tagged in, based on analysis of details of their faces.
“This biometric data is so sensitive that if it is compromised, there is simply no recourse,” Shawn Williams, who is representing the plaintiffs, told Reuters. “It’s not like a Social Security card or credit card number where you can change the number. You can’t change your face.”
Facebook argued that users had suffered no concrete harm as a result of the operations, and that users were able to opt out of Tag Suggestions. The databases of face templates are stored on servers in several US states, and Facebook argued that as the collection of biometric data occurred outside Illinois, it did not need to comply with the 2008 privacy law. The court disagrees, stating that it is reasonable to conclude that the law was intended to protect people in Illinois even with regard to activities occuring outside the state.
In the court ruling, Judge Sandra Ikuta wrote: “We conclude that the development of face template using facial recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”
The case has been bounced back to US District Judge James Donato in San Francisco, who certified a class action earlier this year.
The ruling was welcomed by the American Civil Liberties Union: “This decision is a strong recognition of the dangers of unfettered use of face surveillance technology. The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale,” said Nathan Freed Wessler, a lawyer with the group’s Speech, Privacy, and Technology Project.
Facebook has stated that it plans to appeal the ruling, telling Reuters: “We have always disclosed our use of face recognition technology and that people can turn it on or off at any time.”
According to the Biometric Information Privacy Act, each negligent violation could result in $1000 damages while each deliberate or reckless violation could result in damages of $5000. The class action lawsuit is likely to include millions of Facebook users, meaning that Facebook may face billions of dollars in damages.
However, a $5bn fine from the Federal Trade Commission (FTC) announced last month was largely dismissed as insufficient for a company with Facebook’s wealth and history, as the conditions of the settlement would not force the company to transform its data-handling practices. The FTC investigation was launched following an Observer investigation revealing that a data analytics company, Cambridge Analytica, had harvested the data of 87 million unwitting Facebook users to develop psychologically-targeted ads for political purposes, including the Trump campaign.
Facial recognition has become an increasingly controversial technology as it has been adopted by law enforcement and security services in the US, China, and other countries. In the UK, the Information Commission has warned that there remain significant issues around privacyassociated with police trials of live facial recognition.