ARLINGTON – Facebook Inc. agreed to pay US$550 million (S$750 million) to resolve claims it collected user biometric data without consent in one of the largest consumer privacy settlements in US history.
The accord, which requires a judge’s approval, will avert a trial that may have exposed the social networking company to billions of dollars in damages.
Facebook fought unsuccessfully to persuade the US Supreme Court to derail the class action case. The users alleged that the company’s photo-scanning technology violated an Illinois law by gathering and storing biometric data without their permission.
“We decided to pursue a settlement as it was in the best interest of our community and our shareholders to move past this matter,” Facebook said.
While Facebook has weathered controversy over privacy almost since its inception, the company has come under particularly harsh scrutiny in recent years, both in the US and in Europe.
Facebook reached a historic US$5 billion deal in July with the US Federal Trade Commission to settle an investigation into its privacy practices stemming from the Cambridge Analytica scandal that came to light in early 2018. The company is also facing probes by New York, California, Massachusetts and others over its third-party data practices.
Consumer privacy cases in US courts occasionally have succeeded in making Internet companies change their policies, but have rarely triggered payouts of more than US$10 million. The lawsuit over photo scanning was brought under the Illinois Biometric Information Privacy Act of 2008, the toughest laws of its kind in the US.
“Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation,” Mr Jay Edelson, a Chicago-based lawyer representing consumers who sued, said in a statement.
Facebook has for years encouraged users to tag people in photographs they upload in their personal posts and the social network stores the collected information. The company has used a programme it calls DeepFace to match other photos of a person.
Courts have struggled over what qualifies as an injury to pursue a privacy case in lawsuits accusing Facebook, Google and other Internet companies of siphoning users’ personal information from emails and monitoring their web browsing habits. Suits over selling the data to advertisers have often failed.
Facebook contended that its collection of biometric data didn’t cause users to suffer any concrete injury such as loss of money or property. But a San Francisco federal judge rejected that argument, saying in 2018 that the alleged violation of the user-consent requirement in the Illinois law goes to “the very privacy rights the Illinois legislature sought to protect”.
Privacy advocates regard biometric data as especially sensitive because – unlike names, addresses, credit cards and even social social security numbers, which can be changed – scans of retinas, fingerprints, hands, face geometry and blood samples are unique identifiers.
The settlement will push technology companies to pay closer attention to users’ concerns over biometric technology, said Ms Pam Dixon, executive director of nonprofit advocacy group World Privacy Forum.
“This will cause a lot of discussion on the Biometric Information Privacy Act as very few companies could afford a settlement like this and survive,” she said.
US District Judge James Donato allowed the case to proceed as a class action on behalf of millions of Illinois residents who had uploaded photos on the network since 2011. Facebook failed to get a federal appeals court or the Supreme Court to reverse Mr Donato’s ruling.
Taking the case to trial would be risky because, under the Illinois law, the company could be fined US$1,000 to US$5,000 each time a person’s image is used without consent. If Facebook had lost it might have been forced to pay US$6 billion, according to Mr Matthew Schettenhelm, Bloomberg Intelligence litigation and government analyst.