Facebook Wars II: Attack of the Privacy Violations

Alexander Glossman is a J.D. Candidate, 2021 at the NYU School of Law.

On Wednesday, January 29th, Facebook disclosed that it had settled a class-action lawsuit in Illinois for $550 million. While this disclosure was made during a call with analysts concerning the company’s quarterly financial results, which reported revenue increases of 25 percent and profit increases of 7 percent, the magnitude of this settlement and its possible implications should not be swept under the rug by the sheer volume of money being made. Though a bit more than half-a-billion dollars may not sound like much for a company with profits of $7.3 billion in the fourth quarter alone, the settlement of In Re Facebook represents one of the largest of its kind ever to be reached in a privacy lawsuit.

In this suit, the plaintiffs alleged in their complaint that Facebook had repeatedly and systemically violated the Illinois Biometric Information Privacy Act (BIPA). The company did so by collecting and storing the users’ biometric data without giving notice or securing their consent. Through the social media platform’s “Tag Suggestions” function, it identified users by scanning their uploaded photographs, and allegedly then created and stored digital representations of those users’ faces based on the geometric relationship of facial features unique to each individual. Though it should be stressed here that Facebook has repeatedly rejected these allegations as meritless, the fact remains that had the case gone to trial, the company stood to risk the loss of billions of dollars rather than the comparatively slight $550 million settlement.

Under BIPA, should Facebook have been found liable, it would have owed each member of the class statutory damages ranging from $1,000 to $5,000. With Illinois home to somewhere between 5 and 6 million Facebook users, the possibility of a massive payout certainly began to loom large in the company’s internal risk assessments.

With the settlement, rather than the potential payoff in the thousands of dollars, class members will have to be content with something in the hundreds, depending on how many consumers join the class. But because BIPA has yet to face a conclusive test in court, it has not been precisely established how the number of alleged violations would be calculated. A case like this creates a lot of uncertainty, and it is “almost not sure who won in this case,” says Professor Matthew Kugler, an associate professor at the Northwestern Pritzker School of Law. “The plaintiff says ‘I was harmed,’ and the defendant says, ‘show me the receipt.’ You often can’t point to a dollar and cents consequence.”

What is not uncertain at all is the fact that privacy advocates around the country will look to this settlement, along with that between Facebook and the Federal Trade Commission for a much heftier $5 billion in 2019, as a template for the protection of individual privacy rights in the coming years. As eloquently put by Jay Edelson, a lawyer representing the plaintiffs in this case: “From people who are passionate about gun rights to those who care about women’s reproductive issues, the right to participate in society anonymously is something that we cannot afford to lose.” Within weeks of Facebook’s January settlement, a major new lawsuit was filed against Clearview AI for allegedly violating that same Illinois BIPA by “actively collect[ing], stor[ing] and us[ing] Plaintiff’s biometrics—and the biometrics of most of the residents of Illinois—without providing notice, obtaining informed written consent or publishing data retention policies.” While this case will no doubt take some time (In Re Facebook took nearly five years) to reach a settlement, much less a trial, there seems to be a new book out on how to target these data-mining big tech companies.

It remains to be seen how cases like this will influence lawmakers at the state and federal level. For example, California’s new privacy law, the California Consumer Privacy Act (CCPA), went into effect on January 1. By some measures, it ranks as the country’s toughest privacy law, but its private right of action only applies to cases of data breach stemming from negligent security practices.

At the national political level, former Democratic primary candidate Andrew Yang made privacy a central tenet of his campaign platform. He suggested that data should be a property right, and that every one of us should have the power of informed consent over what tech corporations can retain and use of the data we generate. Is this a feasible policy proposal? Perhaps! Will it come to pass? Probably not anytime soon, because Mr. Yang has taken his talents to CNN as a political commentator.

Going forward, privacy will only become a more substantial part of the conversation around social media platforms like Facebook. With this $550 million settlement, privacy advocates are upping the pressure on Facebook, which has faced increased scrutiny in Europe and Asia as well in recent years. I, for one, will be watching carefully to see how they respond in the years to come.

As a former resident of Illinois, and one who made frequent use of Facebook during that time, I will also be waiting to see the eligibility requirements for being included in the class. I could use a couple-hundred bucks of Mark Zuckerberg’s money.