Of course, when your 2020 revenue is over $84 billion, $650 million may not seem as large an amount to pay.

Been meaning to cover this story for over a week.  As reported by Bloomberg Law, U.S. District Judge James Donato of the Northern District of California approved a $650 million settlement on February 26th in a class action alleging Facebook Inc. violated the Illinois Biometric Information Privacy Act.

Judge Donato said it was one of the largest settlements ever for a privacy violation and would give each interested class member at least $345.

“Overall, the settlement is a major win for consumers in the hotly contested area of digital privacy,” Donato wrote.

Facebook users sued in 2015 over one of its photo-tagging tools, which looks for and identifies people’s faces in photographs uploaded to the social media site.

The plaintiffs alleged Facebook collected and stored digital scans of their faces in violation of Illinois’ Biometric Information Privacy Act, which requires companies to obtain consent before collecting data such as fingerprints and facial scans.

“We are pleased to have reached a settlement so we can move past this matter, which is in the best interest of our community and our shareholders,” a Facebook spokesperson said in a statement.

The case raised several “intensely litigated” issues, including whether statutory privacy injury was real and concrete to establish the injury-in-fact required for federal standing, Donato said. The court found it was sufficient for standing under Article III and the Biometric Information Privacy Act.

“The standing issue makes this settlement all the more valuable because Facebook and other big tech companies continue to fight the proposition that a statutory privacy violation is a genuine harm,” Donato wrote.

The settlement was increased to $650 million to $550 million after Donato expressed concern that the original figure was insufficient. Nearly 1.6 million class members submitted claims – out of about 6 million Illinois residents eligible.

Before 2018, only three states had biometric privacy laws: Illinois, Texas and Washington.  However, only the Illinois’ Biometric and Information Privacy Act provided for a private right of action, which (according to JD Supra) has made it very attractive to the plaintiffs’ bar.  The number is growing to include other states such as Louisiana, Arkansas, California, Oregon and New York that have at least modified other data privacy laws to include a biometric privacy component, with three other states (Massachusetts, Hawaii and Arizona) having pending biometric privacy legislation.

Biometric data is different from any other personal data.  You can change almost any data you have, even get a new social security number.  But you can’t change a fingerprint or retina – they always stay the same.  So, biometric data is especially vulnerable and needs particular protection.  I’m amazed more states haven’t already passed biometric security laws.

So, what do you think?  Do you think we need tougher biometric security laws through the US and the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.