Since 2015, Facebook has been fending off a lawsuit challenging its use of facial recognition software, and this pressure will continue as Facebook is pushed to adjust its biometric data processing practices to comply with the impending European Union General Data Protection Regulation (GDPR), which will be implemented this May.1

Developing facial recognition software is a highly lucrative market, and these programs have the potential to be used for security and surveillance systems in addition to marketers delivering advertisements targeting consumers based on gender, age, and ethnicity.2 The facial-recognition market is expected to earn $9.6 billion by 2022, and Facebook has filed a patent for emotion-detection software which would display content based on an individual’s identified emotion, allowing it to monetize its facial recognition programs.3

There are no federal laws providing privacy protections in corporate use of facial recognition software,4 but three states have such laws. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), which forbids private entities from obtaining an individual’s biometric identifier or information without both notifying that person and receiving their written consent.5 Unlike similar laws in Texas and Washington, Illinois’ law grants individuals a private right of action against the offending company,6 giving BIPA substantially more teeth than if it were only enforceable by the state.

A 2015 lawsuit, filed by a Chicago-based Facebook user, argues that Facebook’s facial recognition program used in its automatic “tagging” function violated BIPA by obtaining and processing biometric identifiers—i.e., face scans—without consent.7 Under BIPA, biometric identifiers include scans of face geometry.8 The Northern District of California rejected Facebook’s motion for summary judgment, which argued that the statutory language of BIPA limits biometric identifiers to face scans which were done in person, as opposed to face scans based on photographs.9 This argument was subsequently rejected in similar suits against both Google10 and Shutterfly11 in federal court in Illinois.

With its motion for summary judgment denied, Facebook is currently trying to block class certification in the 2015 suit, as well as an additional suit on behalf of non-Facebook users in Illinois whose images were uploaded to Facebook and scanned without consent.12 Facebook is arguing that there is a lack of commonality between the claims within each class.13 The two cases have been combined, and there will be a hearing to determine if class certification is proper on March 29, 2018.14 If the plaintiffs get class certification, Facebook’s potential damages will increase drastically and could prompt out-of-court settlement.

Although BIPA only provides relief to Illinois residents, the impending E.U. regulation may push Facebook to bring its facial recognition practices somewhat closer to conformity with BIPA for users in the United States. The GDPR generally prohibits biometric data, including face scans, from being processed without explicit consent.15 The GDPR applies not only to entities within the European Union, but also to entities that offer goods or services to or monitor the behavior of data subjects in the European Union, and then process the personal data those individuals.16 While Facebook has expanded its facial recognition program to process uploaded images and alert the people featured in the photos regardless of whether they are tagged, users may opt out of being identified through the facial recognition program.17 This program is not available for users in the European Union or Canada.18 Although the GDPR does not formally give U.S. consumers protection, it has prompted Facebook to announce efforts to make controlling privacy settings more user-friendly and transparent.19 The threats of class actions and GDPR penalties may change corporate biometric data practice norms, pushing companies towards policies that favor user privacy and affirmative consent.