Facebook can’t avoid privacy suit over biometric face prints

Facebook Inc. failed again to get out of a lawsuit alleging its photo scanning technology flouts users' privacy rights.

A federal judge in San Francisco ruled Monday that the world's largest social network must face claims that it violated the privacy of millions of users by gathering and storing biometric data without their consent. Alphabet Inc.'s Google is fighting similar claims in federal court in Chicago.

U.S. District Judge James Donato's decision to let the class-action case proceed means that Facebook is still potentially on the hook for fines under a unique Illinois law of $1,000 to $5,000 each time a person's image is used without permission. A court victory for consumers could lead to new restrictions on Facebook's use of biometrics in the U.S., similar to those in Europe and Canada.

"When an online service simply disregards the Illinois procedures, as Facebook is alleged to have done, the right of the individual to maintain her biometric privacy vanishes into thin air," Donato wrote in Monday's ruling. "The precise harm the Illinois legislature sought to prevent is then realized."

Donato previously rejected Facebook's argument that the case had to be dismissed because the attempt to enforce Illinois law runs afoul of its user agreement that requires disputes to be resolved under the laws of California, where it's based.

Facebook says users can't stop it from using biometric data.

Courts have struggled over what qualifies as an injury to pursue a privacy case in lawsuits accusing Facebook and Google of siphoning users' personal information from emails and monitoring their web browsing habits. Suits over selling the data to advertisers have often failed.

In 2016, the U.S. Supreme Court set a "concrete injury" standard for privacy suits in a case involving search-engine operator Spokeo Inc., a ruling that both sides in the Facebook suit attempted to use to their advantage.

The Illinois residents who sued under the Biometric Information Privacy Act said the 2008 state law gives them a "property interest" in the algorithms that constitute their digital identities -- in other words, gives them grounds to accuse Facebook of real harm.

Facebook, which got the case moved to San Francisco from Illinois, argued the users hadn't suffered a concrete injury such as physical harm, loss of money or property; or a denial of their right to free speech or religion.

Donato concluded that the alleged violation of the user-consent requirement in the Illinois law goes to "the very privacy rights the Illinois legislature sought to protect."

"This injury is worlds away from the trivial harm of a mishandled zip code or credit card receipt," he wrote.

A spokeswoman for Facebook declined to comment on the ruling.

The Facebook case is In re Facebook Biometric Information Privacy Litigation, 15-cv-03747, U.S. District Court, Northern District of California (San Francisco). The Google cases are Rivera v. Google, 16-cv-02714, and Weiss v. Google, 16-cv-02870, U.S. District Court, Northern District of Illinois (Chicago).