A class-action lawsuit against Facebook for scanning a user’s face in photos and offering tagging suggestions looks like it’s finally done churning through the courts.
The upshot: it will pay $550 million to settle the suit, Facebook disclosed in its quarterly earnings report on Wednesday.
Filed in 2015, plaintiffs had claimed that the platform violated the strictest biometric privacy law in the land – Illinois’s Biometric Information Privacy Act (BIPA) – with its tag suggestions tool.
Facebook started using that tool in 2015 to automatically recognise people’s faces in photos and suggest to their friends that they tag them. It’s done so without users’ permission and without telling them how long it would hang on to their biometrics, the suit contended, squirrelling faceprints away in what Facebook has claimed is the largest privately held database of facial recognition data in the world.
In September 2019, Facebook said that it was dumping tag suggestions in favour of the multi-purpose “face recognition” setting, which it made available to all users, along with an opt-out option.
The New York Times referred to the $550 million hit as a “rounding error” for Facebook, which reported that revenue rose 25% to $21 billion in the fourth quarter, compared with a year earlier, while profit increased 7% to $7.3 billion.
Jay Edelson, a lawyer for the Facebook users named in the facial recognition class action, told the Times that the settlement underscored the importance of strong privacy legislation:
From people who are passionate about gun rights to those who care about women’s reproductive issues, the right to participate in society anonymously is something that we cannot afford to lose.
Facebook got off easy. BIPA requires companies to get written permission before collecting a person’s biometrics, be they fingerprints, facial scans or other identifying biological characteristics. It also gives Illinois residents the right to sue companies for up to $5,000 per violation: a fine that could potentially add up to billions of dollars in payouts for tech companies that don’t settle and go on to lose lawsuits filed under the legislation.
Facebook has fought this lawsuit tooth and nail. In 2016, it tried – and failed – to wriggle out of it, saying that its user agreement stipulates that California law would govern any disputes with the company. Besides, Facebook said in its motion, BIPA doesn’t apply to Facebook’s facial tagging suggestions for photos.
The judge’s response: nope, squared. Going by Illinois law is just fine, and of course BIPA covers faceprints, like it covers all biometrics.
After backlash from Canadian and EU citisens and regulators, Facebook in 2012 had turned off its first incarnation of the tag suggestion feature in Europe and deleted the user-identifying data it already held.
The US has long trailed the EU when it comes to beating Facebook’s facial recognition into submission. However, last year, the country did a bit of catchup when the Federal Trade Commission (FTC) fined Facebook $5 billion for losing control of users’ data.
As part of the new 20-year settlement order, Facebook agreed to delete any existing facial recognition templates and to provide “clear and conspicuous notice” about any new facial recognition uses. The FTC’s order requires Facebook to give clear notice of how it uses facial recognition data and requires that it get consumers’ express consent before “putting that data to a materially different use.”
In September 2019, when Facebook ditched tag suggestions, it introduced face recognition designed to deliver an actual, bona fide opt-in choice for using our faceprints. And if you don’t yet know how to turn it off or on, here’s how:
How to turn face recognition on or off
In Facebook, go to Settings & Privacy > Settings > Under ‘Privacy’ tap Face recognition and select Yes or No next to the prompt ‘Do you want Facebook to be able to recognise you in photos and videos?’
Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.
