Internet Privacy – Has Tagging a Photo Gone Too Far?

In 2008, Illinois’ legislature enacted the Illinois Biometric Information Privacy Act (hereinafter referred to as “the Act”). Relevant to the cases that will be mentioned below, the Act makes it unlawful for a private entity to collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless the private entity: 1) informs the person whose information is being recorded that such information is being collected, stored, and used; and 2) informs the person whose information is being recorded how long such information will be collected, stored, and used; and 3) the person whose information is being obtained provides a written release allowing the private entity to collect, store, and use such information. 740 ILCS 14/15 (West 2012). If found guilty, a private entity can be found liable to pay either $1,000 for each negligent breach; $5,000 for each intentional or reckless breach; or actual damages, whichever is greater. 740 ILCS 14/20. Thus, in the context of photographs on social media sites, even negligent breaches of the Act can prove to be very costly if found guilty.

In recent years, the Act has been the focus of increased litigation. As a result, two notable settlements have been attained and an ongoing action against Facebook has garnered a lot of media attention. In one of the aforementioned settlements, L.A. Tan Enterprises paid out $1.5 million to a class of its customers when the entity allegedly shared its customer’s fingerprint scans. Another Illinois resident used the Act against Shutterfly and obtained a second settlement. The amount of the Shutterfly settlement was not disclosed but the agreement was obtained prior to the class action becoming certified.

In 2015, three separate plaintiffs filed suit against Facebook alleging that the social media site was illegally collecting biometric data from its users. One plaintiff filed in Cook County while the other two filed in the federal district court. The cases were consolidated and transferred to the Northern District of California. Facebook sought dismissal of the case but the district court judge found that Plaintiffs successfully plead a cause of action and thus dismissed the Defendant’s motion. The court initially found that the contractual choice of law Facebook forces its users to “sign” will not be enforced. In re Facebook Biometric Info. Privacy Litig., 2016 U.S. LEXIS 60046, *28. The court held as such because it found the Act to be a manifestation of “substantial [Illinois] policy.” Id. at * 32. Therefore, Illinois law, will govern the outcome of the subsequent trial. The court then held that alleging “Facebook’s face recognition technology involve[d] a scan of face geometry that was done without plaintiffs’ consent” was sufficient to state a plausible claim for relief under the Act. Currently, the case has been and will continue to continue through the discovery phase. According to Matthew Kugler, an assistant professor at the Northwestern University Pritzker School of Law, quoted in a Chicago Tribune article titled What’s Next Illinois biometrics lawsuits may help define rules for Facebook, Google: “the suit may hinge on whether users were sufficiently informed about how their Facebook data would be used.”

If you would like more information on this topic, you can contact the author, Matthew Sheahin, at (312) 332-7555 or