Facebook to pay $550m to settle face-tagging suit – Naked Security

A class-action lawsuit against Facebook for scanning a user’s face in photos and offering tagging suggestions looks like it’s finally done churning through the courts.

The upshot: it will pay $550 million to settle the suit, Facebook disclosed in its quarterly earnings report on Wednesday.

Filed in 2015, plaintiffs had claimed that the platform violated the strictest biometric privacy law in the land – Illinois’s Biometric Information Privacy Act (BIPA) – with its tag suggestions tool.

Facebook started using that tool in 2015 to automatically recognize people’s faces in photos and suggest to their friends that they tag them. It’s done so without users’ permission and without telling them how long it would hang on to their biometrics, the suit contended, squirreling faceprints away in what Facebook has claimed is the largest privately held database of facial recognition data in the world.

In September 2019, Facebook said that it was dumping tag suggestions in favor of the multi-purpose “face recognition” setting, which it made available to all users, along with an opt-out option.

The New York Times referred to the $550 million hit as a “rounding error” for Facebook, which reported that revenue rose 25% to $21 billion in the fourth quarter, compared with a year earlier, while profit increased 7% to $7.3 billion.

Jay Edelson, a lawyer for the Facebook users named in the facial recognition class action, told the Times that the settlement underscored the importance of strong privacy legislation:

From people who are passionate about gun rights to those who care about women’s reproductive issues, the right to participate in society anonymously is something that we cannot afford to lose.

Facebook got off easy. BIPA requires companies to get written permission before collecting a person’s biometrics, be they fingerprints, facial scans or other identifying biological characteristics. It also gives Illinois residents the right to sue companies for up to $5,000 per violation: a fine that could potentially add up to billions of dollars in payouts for tech companies that don’t settle and go on to lose lawsuits filed under the legislation.

Facebook has fought this lawsuit tooth and nail. In 2016, it tried – and failed – to wriggle out of it, saying that its user agreement stipulates that California law would govern any disputes with the company. Besides, Facebook said in its motion, BIPA doesn’t apply to Facebook’s facial tagging suggestions for photos.

The judge’s response: nope, squared. Going by Illinois law is just fine, and of course BIPA covers faceprints, like it covers all biometrics.

After backlash from Canadian and EU citizens and regulators, Facebook in 2012 had turned off its first incarnation of the tag suggestion feature in Europe and deleted the user-identifying data it already held.

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.