US Appeals Court Clears Facebook In Biometric Privacy Lawsuit Over Face Signatures
The United States Court of Appeals for the Ninth Circuit, with a three-judge panel of Justices Ryan D. Nelson, Danielle
US Appeals Court Clears Facebook In Biometric Privacy Lawsuit Over Face Signatures
The United States Court of Appeals for the Ninth Circuit, with a three-judge panel of Justices Ryan D. Nelson, Danielle J. Forrest, and Gabriel P. Sanchez, upheld the summary judgment from the US District Court for the Northern District of California (Trial Court), ruling that a face signature is not a biometric identifier under Illinois' Biometric Information Privacy Act (BIPA).
The case involved a plaintiff, who does not use Facebook (now Meta Platforms Inc.), alleging that Facebook violated BIPA by capturing his biometric identifiers through the creation of a face signature from photos uploaded by his Facebook-using friends. The plaintiff also contended that Facebook failed to publish a required written policy on its data retention schedule.
The plaintiff, a non-user of Facebook (now Meta), filed a lawsuit against Facebook for alleged violations of the Illinois Biometric Information Privacy Act (BIPA). He claimed that Facebook collected and captured his biometric identifiers by creating a face signature from photos his Facebook-using friends uploaded.
Additionally, he alleged that Facebook failed to publish a required written policy on the data retention schedule for collected biometric data. The Trial Court granted summary judgment to Facebook on the first claim, ruling that the BIPA provisions in question do not protect the privacy interests of non-users. The second claim was dismissed by the trial court due to a lack of standing.
The Court thoroughly examined the Illinois Biometric Information Privacy Act (BIPA), starting with Section 15(b). This section specifies that a private entity can collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information. However, to do so, the private entity must:
1. Inform the subject or their representative in writing about the collection or storage of their biometric identifier or information.
2. Provide details in writing about the specific purpose and the length of time for which their biometric data will be used.
3. Obtain written authorization from the subject or their representative.
The Court reviewed the definitions of biometric identifier and biometric information under Section 10 of BIPA. It found that biometric identifiers include retina or iris scans, fingerprints, voiceprints, and hand or face geometry scans, but not photographs. For biometric information, the Court determined that any data derived from a biometric identifier used to identify a person, regardless of how it is captured, converted, or stored, qualifies as biometric information. However, information derived from items excluded from the definition of biometric identifiers is also excluded from the definition of biometric information.
Under Section 20 of BIPA, the Court noted that individuals aggrieved by a violation of BIPA's terms have the right to take legal action against the offending party.
The Trial Court had granted summary judgment to Facebook, arguing that it would be unreasonable to interpret BIPA to require Facebook to notify and obtain consent from non-users—individuals with no existing relationship with Facebook—whose images were incidentally captured in photos uploaded by Facebook users. The Trial Court deemed such an interpretation untenable, as it would necessitate Facebook obtaining consent from any individual whose face appeared in a photo uploaded to the platform. This stance referred to the case Rosenbach v. Six Flags Entertainment, where the Illinois Supreme Court concluded that BIPA should not impose extraordinary burdens on businesses.
The Court of Appeals rejected the Trial Court’s reasoning for summary judgment. It revisited Section 15(b), clarifying that BIPA's intent was to protect both non-users and users, irrespective of any pre-existing relationship with the private entity. The primary question before the Court was whether a face signature constitutes a biometric identifier or biometric information. Aligning with Facebook’s argument that BIPA applies to biometric identifiers and information capable of identifying a person, the Court concluded that a face signature does not meet these criteria.
The Court examined the plain language of the Illinois Biometric Information Privacy Act (BIPA) to determine if a face signature qualifies as a biometric identifier or biometric information. The Court acknowledged that while a photograph does not meet BIPA's statutory definition of a biometric identifier, it could still be considered one in a broader, ordinary sense. Conversely, a face geometry scan, which is explicitly included in BIPA’s definition of biometric identifier, would not be covered if it could actually identify a person.
To clarify, the Court cited Bond v. United States, where the United States Supreme Court stated that understanding a statute requires considering the ordinary meaning of a term, especially when there is a discrepancy between this meaning and the statutory definition. Accordingly, the Court concluded that the ordinary meaning of identifier—suggesting someone or something that identifies—should inform its statutory interpretation. This approach would prevent Facebook from having to abandon its core services.
The Court also referenced Hazlitt v. Apple, which recognized that BIPA applies to face scans used to identify a person, even if a company does not currently use them for identification purposes. The prevailing judicial view is that biometric identifiers under BIPA must have the capability to identify a person. Whether face signatures can identify non-users remained the key question for the Court's consideration.
The Court considered Facebook's unchallenged evidence demonstrating that face signatures cannot identify non-users. Facebook has shown that face signatures are abstract numerical representations of faces, generated through pixel comparisons by algorithms, that cannot be reverse-engineered or stored in a manner that identifies individuals. Consequently, non-users' faces appearing in users' photos remain anonymous to Facebook.
The Court concluded that the plaintiff lacked standing to bring a Section 15(a) claim. The plaintiff's assertion regarding a violation of Section 15(a) was limited to a single sentence stating that Facebook does not publicly provide a retention schedule or guidelines for permanently destroying the biometric identifiers and/or biometric information of the plaintiff and class members. The Court referenced Bryant v. Compass Group USA, Inc., where it was established that the public provision of a data retention schedule is a general duty owed to the public, not to specific individuals. The plaintiff failed to demonstrate how he or any proposed class members suffered concrete and particularized harm from Facebook’s general duty violation.
Additionally, regarding whether face signatures qualify as biometric identifiers or information under BIPA, the Court noted that the plaintiff did not provide evidence showing that face signatures were indeed biometric identifiers or information. The Court thus concluded that Facebook's use of face signatures did not cause the substantive harm that BIPA aims to prevent. As a result, the Court affirmed that Meta (Facebook) was entitled to summary judgment on the Section 15(b) claim and that the plaintiff's Section 15(a) claim lacked standing.