A federal judge has has denied a motion to dismiss a civil case against photo-sharing site Shutterfly that claims the company violated users' privacy by collecting and scanning face geometries from uploaded images without consent.
The first of its kind ruling could open the door to future class-action lawsuits against Shutterfly and other social networks that use facial recognition technology without an opt-in policy.
The civil lawsuit, brought by the law firm Carey Rodriguez Milian Gonya LLP on behalf of Brian Norberg, alleges that Shutterfly violated the Illinois Biometric Privacy Act (BIPA) by collecting and scanning face geometry in photos uploaded on Shutterfly's website without the consent of those featured in the images.
In his ruling, U.S. District Court Judge Charles R. Norgle rejected Shutterfly's argument that only in-person scans of people's faces are covered under the statute.
The lawsuit alleges that Norberg, "along with potentially millions of others," was never informed that his facial images would be collected, nor was he informed where the images would be stored, or for how long, which is required under the BIPA, the lawsuit alleges.
In addition to the case against Shutterfly, the law firm is also leading separate claims against other companies on biometric data, including one against Facebook.
Norgle additionally ruled that the collection of face prints from photos is also covered under the statute. The statute, which also covers iris and fingerprint scans, provides for recoveries of $5,000 for each violation.
Jennifer Lynch, a senior staff attorney with the Electronic Frontier Foundation, said the ruling, while significant, meets a relatively low standard in civil litigation.
"The judge said the plaintiffs will have an opportunity to prove their claims," Lynch said.
A spokesperson for Shutterfly said the company doesn't comment on pending litigation.
In April, a Chicago man filed a class-action lawsuit against Facebook's "Tag Suggestions," claiming the feature violated BIPA by using facial recognition technology to identify people without their written consent.
"That's the key, whether the company has gotten opt-in consent," Lynch said. "The way I read the law is it's a clear violation if they've not gotten their expressed consent."
Carlo Licata, the plaintiff in the Facebook case, said in his complaint that the social network doesn't disclose "its wholesale biometrics data collection practices in its privacy policies, nor does it even ask users to acknowledge them.
"Instead, Facebook merely hints at the underlying functionality behind Tag Suggestions -- only describing the feature's use of facial recognition software on remote sections of its website. With millions of its users in the dark about the true nature of this technology."
Licata's case was transferred to the U.S. District Court for Northern California, where Facebook is headquartered. In October, Facebook also requested that the case be dismissed. There has been no ruling on the motion to date.
Facebook based its motion for dismissal on the terms of service and the fact that California, where it is located, doesn't have a biometric protection statute like BIPA in Illinois.
When users sign up for Facebook, its terms of service include that its facial recognition tagging feature will be allowed unless a member opts out. If a member of Facebook posts photos with other people's images, the tagging feature cannot work unless people are "friends" on Facebook and both have not opted out of the feature.
In an email reply to Computerworld, a Facebook spokesperson said, "This lawsuit is without merit and we will defend ourselves vigorously.”
The only other state that has a law similar to BIPA is Texas, but its law states that lawsuits must be brought by the state and not individuals. There has been federal legislation calling for privacy rules around biometric information, but to date, none have passed.
BIPA, passed in 2008, states that no private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first informs the subject and gets their permission.
In Licata's case, he uploaded the photos in question. In the Shutterfly case, Norberg claims he never used the photo-sharing website and that other people uploaded the images of him.
"Currently, Illinois is the only state to allow private citizens to sue," David Milian, lead partner in the case at Carey Rodriguez, said in a statement. "The data privacy concerns are enormous. You can always change your password or get a new credit card or Social Security number if these websites are hacked, but you can't change your facial geometry."