In July, Instagram’s parent company Meta Platforms, Inc. (“Meta”) agreed to a $68.5 million class-action biometric privacy settlement in connection with the company’s alleged violation of Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA).
Filed in June after initial mediations and settlement negotiations took place, the lawsuit alleged that Instagram’s facial recognition technology violated BIPA when the company collected and stored biometric data without complying with BIPA’s requirements. While Instagram had initially claimed that its facial recognition software (discontinued in November 2021) had merely used an individual’s template to find photos and videos on Facebook to make suggestions or recommendations on the platform, the lawsuit alleged that Meta was actually capturing users’ biometrics without their informed consent in violation of BIPA.
In the settlement documents, plaintiff’s attorneys estimate that approximately 4 million Illinois residents could be eligible for the settlement, with the size of the payouts being contingent on how many eligible class members successfully file valid claims and how long those eligible users used Instagram between the relevant period of August 2015 to August 2023.
BIPA, which was passed in 2008, remains one of the strictest privacy laws in the country, and Meta’s Instagram settlement reflects but another data point in a growing list of Big Tech companies forced to make significant payouts based on alleged violations of BIPA:
- In 2020, Facebook—also owned by Meta—settled a 2015 class action lawsuit for $650 million in connection with alleged BIPA violations claiming that the company collected and stored biometric data in the form of scans of users’ faces without prior notice or consent.
- In 2022, Google, owned by Alphabet, Inc., settled a 2016 class action lawsuit for $100 million in connection with alleged BIPA violations claiming that Google’s face grouping feature in Google Photos unlawfully collected users’ biometrics without their consent.
- Snapchat, owned by Snap Inc., also settled a 2016 class action lawsuit for $35 million in connection with alleged BIPA violations claiming that certain Snapchat features collected user’s biometric facial information without prior notice or consent.
This developing trend highlights the growing public pressure to hold Big Tech companies accountable for the ways in which they collect, store, and monetize user data. These settlements also highlight the efficacy of Illinois’ 15-year-old privacy regime and confirms its position as the “gold standard” for the regulation of biometric technologies—something particularly noteworthy considering that Congress has yet to adopt analogous federal legislation.
Because of the accuracy and efficiency of biometric identification technologies, their development continues to advance at a rate that makes it difficult to ascertain what they may look like in the years to come, which also makes it difficult for companies to determine how they might be regulated tomorrow even if they have figured out how they might be regulated today. Still, the on-going development of BIPA jurisprudence will likely be instructive for companies looking to ensure regulatory compliance at a state- or federal-level as they pursue these emerging-yet-inevitably-pervasive technologies.