The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Facebook's $550M Biometric Settlement Is a Data Privacy Law Landmark

by Chris Brook on Monday February 3, 2020

Contact Us
Free Demo
Chat

The settlement, one of the highest in US history, is a testament to robust privacy legislation.

While it can be argued the figure is a drop in the bucket for Facebook, the fact the company settled a lawsuit last week accusing it of breaking a state's data protection law is still notable.

News of the $550 million settlement – which stemmed from a class action lawsuit around Illinois’ pioneering facial recognition technology law – was disclosed last Wednesday as part of its fourth quarter earnings report.

The class action suit, filed in 2015, alleged that Facebook, by processing and storing facial recognition imagery for US users without permission – essentially creating biometric templates of their faces, broke Illinois' Biometric Information Privacy Act, one of the nation's preeminent biometric privacy laws.

BIPA, passed 12 years ago - in 2008, regulates biometric data usage, limiting state-level protections regarding individuals' biological characteristics. Under the law, organizations must obtain prior consent from consumers, confirm how they'll use the data and how long it will be kept.

Facebook collects facial recognition data as part of its Tag Suggestions tool, which uses facial recognition software to suggest users tag other users in photos uploaded to the social network.

Facebook no doubt was upset the U.S. District Court for Northern California denied its motions to dismiss the case, namely that it shouldn't have been certified because the users didn't allege any harm beyond the company violating BIPA. A finding last year that many in the legal community thought lent more credence to BIPA found that individuals don't need to prove harm. Simply being found in violation of the act alone is enough to constitute standing.

Some legal scholars believe the settlement could be a bellwether for future privacy legislation.

"This case is a great example of how states can take the lead to protect their residents' privacy rights despite Congress' failure to do the same," Nathan Freed Wessler, staff attorney with the American Civil Liberties Union' told Law360, "Lawmakers nationwide should follow Illinois' lead."

According to Paul Geller, one of the attorneys that represented the Illinois Facebook users, the social media site has altered how its platform collects data on users in the state in wake of the lawsuit.

It’s still too early to know exactly how much Facebook users will net from the settlement. Some reports suggest users could see a couple of hundred dollars. A federal judge in San Francisco, where the court case now resides, still needs to approve the settlement.

Regardless, it's one of the highest payouts around a data privacy breach in US history. The sum surpasses the $425 million Equifax set aside to help victims affected by its 2017 data breach. Despite all this, the $550 million settlement, which will be awarded to eligible Illinois users and for the plaintiffs’ legal fees, is just seven percent of what Facebook earned last quarter, $7.3 billion.

Tags: Data Breaches

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.