SAN FRANCISCO (CN) – Rejecting suggestions on how the Founding Fathers might view modern digital privacy rights, a federal judge on Thursday refused to dismiss a class action claiming Facebook harvested users’ biometric facial data without consent.
In 2016, Facebook attorneys argued in court that the authors of the U.S. Constitution never intended that people be allowed to sue Facebook in federal court for the mere violation of a law, unless the plaintiffs suffered actual harm.
U.S. District Judge James Donato rejected that argument Monday, finding Facebook’s allegedly unauthorized collection of biometric facial data caused “intangible harm” by depriving users of control over their private data.
The social network sought to dismiss three consolidated class actions brought by Facebook users in Illinois. The lawsuits claim Facebook’s analyzing and storing of facial data for its “Photo Tag Suggest” function violates the Illinois Biometric Information Privacy Act (BIPA), enacted in 2008.
Under BIPA, companies are required to obtain consent before collecting or disclosing biometric data, such as retina scans, fingerprints, voiceprints, hand scans, or facial geometry.
“A violation of the BIPA notice and consent procedures infringes the very privacy rights the Illinois legislature sought to protect by enacting BIPA,” Donato wrote in his 10-page ruling. “That is quintessentially an intangible harm that constitutes a concrete injury in fact.”
Donato delayed ruling on Facebook’s motion to dismiss for more than a year as he waited for the Ninth Circuit to issue an opinion in the remanded case, Robins v. Spokeo. In Spokeo, the Supreme Court ruled in May 2016 that a Virginia man could not sue an online search engine for posting inaccurate information about him unless he suffered actual harm as a result.
On remand, the Ninth Circuit held in August 2017 that Robins could sue Spokeo because misinformation about his age, family and economic status caused “concrete” harm that could affect his ability to get a job, unlike more innocuous misinformation like a wrong zip code.
“Our circuit has specifically affirmed findings of concrete injury, and standing to sue, when plaintiffs were deprived of procedures that protected privacy interests without any attendant embarrassment, job loss, stress or other additional injury,” Donato wrote in his ruling.
Facebook has argued that its user agreement and data policy fully complied with the Illinois privacy law. Donato found that factual dispute must be decided at summary judgment or trial.
The judge denied Facebook’s motion to dismiss for lack of jurisdiction.
A hearing on the plaintiffs’ motion for class certification is scheduled for March 29 in San Francisco.
Attorneys for both sides did not immediately return phone calls seeking comment Monday afternoon.
The plaintiffs are represented by Paul Geller, of Robbins Geller Rudman & Dowd, in Boca Raton, Florida. Facebook is represented by Vincent Connelly, of Mayer Brown, in Chicago.
Cofounded in 2004 by Harvard dropout and Facebook CEO Mark Zuckerberg, the Menlo Park-based social network had 1.4 billion active daily users as of December 2017 and was valued at $407.3 billion as of May 2017, according to Facebook and Forbes.