By: Caroline Burkard

You take the perfect picture and you begin to upload it to your Facebook page. The last step, “Tag Suggestions.” You think, “Great! I can tag a friend so it’ll show up on their Facebook page too!” Instead, you should be thinking about Facebook’s 4 step facial recognition software and how the company collects and stores your biometric data without your consent.

In 2011, Facebook began its “Tag Suggestions,” a tool that automatically scans and identifies Facebook users to tag in pictures. What users didn’t realize is that Facebook’s 4 step facial recognition software included detection, alignment, representation, and classification steps. The “detection” step began with Facebook scanning for faces that matched those in the picture. The second step, the “alignment,” searched through facial features in an attempt to match a picture. If the software was able to detect and align a face, Facebook then created a “face signature” which was a set of numbers used to identify the face in the “representation” step. The “face signatures” were then searched through a “stored database of user ‘face templates’ to look for matches” in the “classification” step. The software would then use the “face templates” which were numbers similar to those produced in the “face signatures,” and the software would use that information in order to identify other users in pictures and offer it as “Tag Suggestions.” These “face templates” were stored in their database without the consent of its users.

In 2015, an Illinois class-action suit claimed that Facebook had violated Illinois’ Biometric Information Privacy Act (“BIPA”). “BIPA provides that no private entity may collect, store, or use biometric identifiers or information without providing prior notice to and obtaining a written release or consent from the subject.” BIPA violation fines begin at $1,000 dollars and go upwards to $5,000 dollars per violation, including attorney fees. Facebook contended that it was a meritless case because its users hadn’t suffered “measurable harm.”

During litigation, in 2019, Facebook adjusted its “Tag Suggestions.” Instead of Facebook automatically suggesting tags of other people, each user had an additional setting where they could manually choose to not be recognized by the facial recognition software. Facebook friends could still tag others but, if a user declined the facial recognition software, Facebook would no longer automatically suggest them as a tag. This was not enough to curtail the damage that had already been done.

Facebook initially agreed to pay $550 million dollars to settle the case, but a California Federal Judge rejected the settlement offer. If Facebook had gone to trial and lost, they could have been responsible for paying $47 billion dollars in fines. On August 19, 2020, Federal Judge James Donato approved and raised the settlement to $650 million dollars and required Facebook to delete its users’ face templates and to automatically set its users’ settings for facial recognition to off. Facebook consumers were responsible for manually turning it on.

Even though $650 million dollars may seem like a chip out of Facebook’s multi-billion-dollar empire, it seems that Justice Donato’s decision to reject Facebook’s initial settlement proposal sets out a warning to Facebook and all other social media platforms. Justice Donato stated, “The Illinois Legislature said this is meant to be an expensive violation.” By stating this and approving an increased $100 million dollar settlement, Judge Donato has made it clear that infringing on the public’s privacy carries a hefty price tag.

Unfortunately, not every state carries the same biometric privacy laws as Illinois. Perhaps the price tag of $650 million dollars will alert the public to call on state legislatures to act. There must be specific biometric privacy laws in place that can protect Facebook users from these privacy violations. Until then, be careful of who you might tag next.

Student Bio: Caroline Burkard is in her second year as an accelerated evening student at Suffolk University Law School. She currently serves as a staff member on the Journal for High Technology Law. Caroline received her Bachelor of Arts in Political Science and her Master of Education from UMASS Boston.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.