SAN FRANCISCO (CN) – In what lawyers are calling the largest settlement ever reached in a privacy related lawsuit, Facebook will pay $550 million to settle claims it harvested users’ facial data without consent and in violation of a 2008 Illinois privacy law.
The announcement comes eight days after the Supreme Court denied Facebook’s petition to review the case and halt an impending trial that was put on hold in 2018 when Facebook appealed a lower court decision advancing the case.
“This case should serve as a clarion call to companies that consumers care deeply about their privacy rights and, if pushed, will fight for those rights all the way to the Supreme Court and back until they are justly compensated,” said plaintiffs’ lawyer Paul Gellar, of Robbins Geller, in a statement Wednesday.
Lead plaintiff Nimesh Patel sued Facebook in 2015 in one of three consolidated class actions, claiming the social network started mapping users’ faces for its “Photo Tag Suggest” function in 2011. The plaintiffs say Facebook did so without their permission and failed to inform them how long their data would be stored as required by the Illinois Biometric Information Privacy Act of 2008.
The company faced a potential $35 billion or more in liability. The Illinois statute carries civil penalties of $1,000 for each negligent violation and $5,000 for each knowing violation. With a class of potentially 7 million Facebook users, damages could have reached tens of billions of dollars.
The Menlo Park-based tech giant had argued users should not be allowed to bring a class action that could make it liable for an absurd amount of damages. The Ninth Circuit rejected that argument last year, finding no indication that the Illinois Legislature “intended to place a cap on statutory damages.”
Facebook was valued at $512 billion as of May 2019, and its CEO Mark Zuckerberg was worth $82.6 billion as Jan. 29, 2020, according to Forbes.
“We decided to pursue a settlement as it was in the best interest of our community and our shareholders to move past this matter,” Facebook spokeswoman Dina El-Kassaby said by email.
Plaintiffs’ attorney Jay Edelson, of Edelson PC, said he hopes this case convinces other companies to start paying more attention to the importance of biometric information and the need to respect individuals’ privacy rights.
“Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation,” Edelson said.
Before its agreed to settle the case, Facebook had argued users lacked standing to sue because they suffered no “concrete harm,” such as a loss of money, resulting from the alleged violation.
In August 2019, a three-judge Ninth Circuit panel rejected those arguments, finding the loss of control over one’s private information is a real-world injury. Writing for the panel, U.S. Circuit Judge Sandra Ikuta, a George W. Bush appointee, wrote that “a concrete injury need not be tangible.”
The San Francisco-based appeals court later denied Facebook’s request for an en banc rehearing.
Before the case was stayed pending appeal in 2018, U.S. District Judge James Donato had ordered Facebook to alert millions of users about the lawsuit through emails, newsfeed posts, and “jewel” notifications, or Facebook alerts.
If the $550 million deal is preliminarily approved by Donato, class members will have to be informed of the settlement through similar means so they can opt out or object. A motion for preliminary approval of the settlement has not yet been filed.
A status conference in the case is scheduled for Feb. 6.
Illinois is the only state in the U.S. with a biometric privacy law that allows consumers to file lawsuits for monetary damages if their rights are violated.
“Here, Illinois enacted a statute not to thwart innovation, but to protect individuals’ privacy,” said plaintiffs’ co-counsel Michael Canty, of Labaton Sucharowy, in Chicago. “As technology advances, corporations must be mindful of the privacy of their customers and more importantly, comply with the law.”