In my recent year-end summary of corporate and securities liability trends (here), I identified privacy as an important area of growing area of corporate risk and specifically mentioned biometric privacy issues of particular concern. Almost as if to prove my point, on January 29, 2020, in its SEC filing on Form 10-K, Facebook announced that it had agreed to pay $550 million dollars to settle a biometric data privacy class action lawsuit that had been filed on behalf Illinois users in connection with the company’s use of facial recognition software. According to plaintiffs’ lawyers involved in the case, the settlement represents the largest-ever cash settlement to resolve a privacy-related lawsuit. This massive settlement shows the significance of privacy issues and underscores the likelihood that privacy issues – particularly biometric privacy issues – are likely to be an important corporate liability battleground concern.
On April 2015, plaintiffs’ lawyers filed a putative class action against Facebook in the U.S. District Court for the Northern District of California on behalf of Facebook users and alleging that Facebook’s “tag suggestions” facial recognition feature violates the Illinois Biometric Information Privacy Act (BIPA), and seeking statutory damages and injunctive relief. (For further background about BIPA, refer here.)
In April 2018, the district court certified a class of Illinois residents. In May 2018, the district court denied the parties’ cross-motions for summary judgment. Facebook appealed the district court’s ruling that the plaintiffs had alleged a sufficient injury to establish Article III standing.
In an August 2019 opinion (here), the Ninth Circuit affirmed that district court’s ruling that the plaintiffs had alleged sufficient injury to establish Article III standing. The appellate court held that Facebook’s development and use of facial recognition technology without the consent of users constituted an invasion of the privacy interests that BIPA was intended to protect.
In December 2019, Facebook filed a petition to the U.S. Supreme Court for a writ of certiorari, seeking to have the Court take up the case, and arguing that the district court had erred in concluding that the plaintiffs had adequately pled standing where they failed to allege that they had suffered a personal, real-world injury from the alleged violation of BIPA.
In a January 21, 2020 order (here), the U.S. Supreme Court denied the cert petition, sending the case back to the district court, where trial was set to begin soon. As a result of the parties’ mediation efforts, the parties reached a settlement. Facebook disclosed the settlement in its January 29, 2020 earning call with analysts. The settlement is subject to court approval
Under the terms of the settlement, Facebook would be required to establish a $550 million cash fund on behalf and for the benefit of millions of the class of Illinois users. The district court’s class certification order defined the class as Facebook users in Illinois for whom Facebook created a stored-face template after June 7, 2011, the date Facebook made its tag suggestion feature available in most countries.
The most immediately notable thing about the settlement is of course its massive size. But as distracting as the gigantic size of the settlement is, there are some other things that should not be overlooked here.
The first is that Facebook is not an Illinois company. It is a Delaware corporation that is based in California. Yet it was sued – not in Illinois, but in federal court in California – for an alleged violation of the Illinois biometric privacy law. Clearly the liability risk under BIPA reaches far beyond the borders of Illinois itself.
One possible explanation of the settlement’s massive size is the potential under BIPA for per-violation damages, creating the possibility for a massively multiplied judgment. BIPA allows for the recovery of the damages of the greater of actual or liquidated damages of $1,000 for liquidated damages (for negligent violations) or $5,000 (for intentional reckless violations). Given Facebook’s millions of Illinois users, the potential damages in the case were enormous.
It might be tempting to try to minimize this settlement as the odd outcome resulting from Illinois’s peculiarly strict privacy law. That fact is that though Illinois’s biometric privacy laws are strict, Illinois is far from the only state that has laws protecting biometric privacy. Both Texas and Washington state have long had legislation on the books protecting biometric data privacy. In recent years, a number of other states have enacted legislation protecting biometric data privacy, including Arkansas, California, and New York. In addition, a number of other states are considering legislation to protect biometric data privacy, including Alaska, Delaware, Florida, Arizona, Hawaii, Oregon, Massachusetts, New Hampshire, New Jersey and Rhode Island.
Though there are many important things about this settlement beyond just its gigantic size, the settlement’s gigantic size does present its own message. The settlement clearly shows that significant risk that biometric privacy issues present for companies.
Biometric privacy issues are likely to remain a significant concern and corporate risk exposure going forward, for the very basic reason that the breach or disclosure of biometric data cannot be remedied as are other types of data breaches; while a consumer whose credit card data is breached can cancel the old card and get a new credit card, an individual whose biometric date is breached or disclosed cannot change their biometric data.
Thus, the potential breach of disclosure of biometric data will remain a significant concern, which in turn puts significant pressure on companies to protect, secure, and not misuse the biometric data. As this settlement demonstrates, companies alleged to have committed biometric data privacy violations could face significant liability exposure. Alison Frankel, in her January 30, 2020 post on her On the Case blog (here), asked the rhetorical question, “Does Facebook’s $550 Million Settlement Change the Privacy Class Action Game?” The answer in my view is “Yes.” (I think that is also Alison’s answer.)
For those readers interested in thinking about other potential areas of corporate privacy liability exposure will want to consider the statement by one of the plaintiffs’ lawyers from the Facebook case, who was quoted in a January 29, 2020 Law 360 article about the settlement (here) as saying that “Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation.” So, for those readers who have read this far, the point is corporate privacy liability exposure will includes both biometric privacy exposures and geolocation exposures. Put it down on your watch list – there will be further biometric privacy violation lawsuits, and geolocation privacy could be next.
There is one more aspect of this settlement that bears comment here, and that is the fact that it involves Facebook. You can speculate about why, but for whatever reason Facebook repeatedly finds itself representing a first-of-its-kind example of important liability trends. For example, Facebook was among the first companies to be hit with a GDPR-related securities class action lawsuit (about which refer here). Last year, Facebook’s massive $5 billion settlement with the FTC presented an example of privacy violations could lead to significant corporate exposures. A Cambridge Analytic scandal-related securities class action lawsuit against Facebook provided an example of how privacy-related allegations could lead to a securities class action lawsuit.
While Facebook clearly has its own company-specific issues regarding privacy concerns, it would be a mistake to generalize about privacy concerns as problems that are peculiarly distinctive to Facebook and to Facebook alone. The vast reach of Facebook’s user base does multiply the seriousness Facebook’s privacy issues, but Facebook is far from the only company with liability exposures relating to privacy violations. Facebook may well have fallen into a peculiar pattern as being the first company to experience a particular problem but the liability exposures arising from privacy violations do not relate just to Facebook alone.
I know there are some readers who will object that as serious as privacy liability issues may be, they are not D&O exposures. The fact is that any serious liability concern a company faces could be translated into a mismanagement claim or a disclosure omission claim. The likelihood is that we will see management liability claims followed in the wake of biometric privacy liability claims, as well as other types of claims alleging privacy law violations. I continue to believe that privacy-related issues represent a significant area of future corporate and executive liability exposure.