On August 8, 2019, the 9th U.S. Circuit Court of Appeals in San Francisco ruled in a unanimous decision that a class action lawsuit against Facebook can proceed in court. Patel et al v. Facebook Inc. potentially exposes the technology giant to billions of dollars in lawsuits should a court rule in favor of the plaintiffs. Total financial exposure in the class action suit could amount to $5,000 per person for 7 million users.

The Lawsuit’s Background

Patel et al v. Facebook Inc. was filed by three Facebook users in Illinois in 2015. The suit later moved to California at Facebook’s request. The plaintiffs allege that Facebook violates Illinois’ Biometric Information Privacy Act via the company’s ‘Tag Suggestions’ feature. The Tag Suggestions feature analyzes facial features via uploaded photos, then suggests people to tag in future photos based on that information.

The comprehensive Biometric Information Privacy Act (BIPA), which passed into law in 2008, requires companies who collect any biometric data (including “retina or iris scan[s], fingerprint[s], voiceprint[s], or scan[s] of hand or face geometry”) to comply with a series of requirements.

The BIPA dictates that companies must inform, in writing, “the subject or the subject’s legally authorized representative…that a biometric identifier or biometric information is being collected or stored.” Companies must disclose “the specific purpose and length of term” for collection, storage, and use of the biometric information and must receive “a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative” in order to share the data with a third party.

Individuals “aggrieved by a violation of this Act” can take legal action against the company or party in question—in this case, Facebook. What qualifies as a grievance under BIPA was left purposefully vague, which puts the onus on a court to determine what, exactly, “aggrieved” means.

The Illinois Supreme Court may have set a precedent in January 2019. The court ruled in Rosenbach v. Six Flags Entertainment Corp that “a person can seek liquidated damages based on a technical violation of the Illinois Biometric Information Privacy Act (BIPA), even if that person has suffered no actual injury as a result of the violation.”

The Arguments and the 9th Circuit’s Decision

The plaintiffs argue that biometric data’s basis on physical appearance makes it fundamentally more sensitive than the other kinds of personal data that proliferate online. Shawn Williams, one of the lawyers representing the plaintiffs in Patel et al v. Facebook Inc., described it in an interview as “so sensitive that if it is compromised, there is simply no recourse…you can’t change your face,” reported Reuters.

Facebook maintains that it has caused no concrete harm to its users. The company does not sell its facial recognition data and, through a spokesperson, told Reuters it has “always disclosed our use of face recognition technology and that people can turn it on or off at any time.” While it is widely known that Facebook allows companies to use its data to target certain populations and develop new services for users, there is still no concrete indication that Facebook had done so with collected biometric data.

Even still, the three-judge panel at the U.S. 9th Circuit Court of appeals decided that any failure to comply with the Act’s requirements “constitutes an invasion, impairment, or denial of the person’s statutory rights.” Circuit Judge Sandra Ikuta ruled that “the Illinois users could sue as a group,” rejecting Facebook’s argument that their claims were unique and required individual lawsuits. Elaborating in their opinion, the judges wrote that the court “concluded that the development of a face template using facial-recognition technology without consent (as alleged in this case) invades an individual’s private affairs and concrete interests. Similar conduct is actionable at common law.”

Privacy advocates around the world have long echoed such concerns, believing that facial-recognition technology and collected information may be used nefariously. Nathan Freed Wessler, an attorney with the ACLU Speech, Privacy, and Technology Project, said in a statement that the decision “is a strong recognition of the dangers of unfettered use of face surveillance technology…[raising] chilling potential for privacy violations at an unprecedented scale.”

What Happens Next

The 9th U.S. Circuit Court of Appeals has returned the case to U.S. District Judge James Donato in San Francisco to potentially be brought to trial. It will face challenges before it reaches that point, as Facebook has affirmed it will appeal the decision.

Patel et al v. Facebook Inc. is far from the only case concerning the BIPA and alleged improper uses of biometric data. A similar case, Rivera et al v. Google LLC, was dismissed in late 2018 on the grounds that the plaintiff did not suffer concrete injuries, while other cases concerning companies like Shutterfly are pending. For now, the biggest questions still lack clarity: is scanning a photograph and not a face a violation of the law? Is there a legal precedent for ‘concrete injury’ as it relates to biometric data? The answers may have billion-plus dollar ramifications for tech companies, privacy advocates, and product users alike.