Facebook payout a rallying cry for privacy backers

A $550 million privacy settlement by Facebook that may reverberate across the tech industry came thanks to a law that Illinois legislators passed at an opportune time: before anyone in Silicon Valley was really paying attention.

Today, provisions in this one-of-a-kind law — which not only limits the use of consumers' biometric information but allows them to personally sue companies — are among key sticking points in privacy rules being debated by lawmakers in Congress and in several statehouses around the country.

The case was filed in 2015 by plaintiffs who alleged Facebook had violated the 2008 Illinois law, the Biometric Information Privacy Act, or BIPA, when it used people's facial features to suggest friends they might want to tag in photos. The suit alleged Facebook failed to get permission from users, as required by the law, before collecting their biometric facial recognition data.

After four years of litigation, Facebook tried to quash the suit in an appeal to the Supreme Court, arguing the plaintiffs hadn't suffered measurable harm as is required in federal court. After the high court refused to review the matter, Facebook hired a noted trial lawyer, Michael Rhodes of Cooley LLP, but then agreed to settle weeks before the case was set to go to trial.

Now, privacy advocates are flagging that settlement, which Facebook revealed last week during an earnings call, to argue that privacy legislation elsewhere in the country needs a similar private right to sue companies.

"The settlement shows that a law without a private right of action is pretty toothless, especially in an ecosystem where the regulators aren't doing a lot of enforcing," said Lindsey Barrett, staff attorney at the Institute for Public Representation at Georgetown Law School.

With the settlement pending final approval by the court, Facebook refused to discuss issues related to the case. In a statement, a Facebook spokesperson said, "We decided to pursue settlement as it was in the best interest of our community and our shareholders to move past this matter." Facebook reported $21.08 billion in revenue in the most recent quarter.

Critics of the private right to sue say it yields inconsistency in enforcing laws, with state and federal courts in different places interpreting the law differently, making it difficult for a company to know what exactly it must do to comply. Another objection: the pace of litigation. Cases often last years, leaving companies in limbo on important policy decisions.

Many consumer protection laws are backed up with a private right to sue. However, except for the Illinois law, passing privacy legislation that includes that right has proven difficult. A federal privacy bill introduced last year by Sen. Maria Cantwell, a Democrat from Washington, includes a private right to sue, but appears unlikely to garner much Republican support in its current form.

"This is how Congress has ensured for a century that laws intended to protect the public are enforced, private right of action," said Adam Schwartz, a lawyer with the Electronic Frontier Foundation, a privacy and digital rights nonprofit.

California and Texas recently passed privacy bills without a private right to sue. The California law, which took effect in January and will start to be enforced in July, has seen spotty compliance so far, according to privacy advocates. Attorney General Xavier Becerra's office told state lawmakers at a hearing last April that his 23-person privacy team would be able to prosecute only three cases a year.

In Washington state, privacy advocates hope the Facebook settlement will help convince lawmakers on the fence to help stop a privacy bill backed by Microsoft and other tech companies. The individual right to sue is one point of contention. Rep. Norma Smith, a Republican who supports that right, said the Facebook settlement strengthened her side's case.

"It underscores why you have to have meaningful access to justice for an individual," Smith said. "We should have a meaningful voice in how our personhood is sliced and diced and monetized."

Within 48 hours of Facebook's announcement of the settlement, Edelson PC, the law firm that brought the case, received over 5,000 calls and emails from people looking to join the class action, said Jay Edelson, the firm's founder and CEO. Many of these people lived outside Illinois. Edelson's message to them: Call your state lawmakers.

"We have to explain to them that their state didn't pass a biometric law that gave them a right to sue," Edelson said.

The Illinois law passed in 2008 after Pay by Touch, a company that linked payments to the swipe of a finger, went bankrupt. Fears that the company's fingerprint data could be sold prompted state lawmakers to pass the country's first biometric privacy bill.

It's a historical accident that Illinois has this law. — Matthew Kugler, Northwestern Law School professor

The only witness who testified on the record during debate on the bill was the local ACLU lawyer who drafted the bill, James Ferg-Cadima, according to a paper published last year by Matthew Kugler, a Northwestern Law School professor. Not a single tech company representative or lobbyist was there to make the industry's case. Today, Silicon Valley pushes hard to shape privacy bills.

"It's a historical accident that Illinois has this law," said Kugler. "Facebook, Google, they didn't think of themselves as in the biometric game back in 2008. They didn't show up."

It was 2011 when Facebook began using facial recognition to suggest friends users might want to tag in their photos. Edelson, along with the law firms Robbins Geller Rudman & Dowd and Labaton Sucharow, filed suit in 2015, and the case became something of a landmark. Roughly 90% of the hundreds of biometric data cases that have been brought under BIPA have targeted employers who collected biometric data to clock workers in and out of shifts, according to Edelson and Kugler.

These cases rely on a more narrow interpretation of the law, and usually involve more-modest sums. The Facebook case, however, suggests a broader application of BIPA — and one that is potentially more lucrative for attorneys and their clients.

Facebook, Google and other tech companies have devoted substantial resources to rolling back the Illinois law, without success. Edelson said Silicon Valley's lobbying in Springfield grew so intense that he built up a seven-person government affairs team, essentially an in-house lobby shop, dedicated to countering the efforts in the state capitol.

The law mandates a penalty of anywhere from $1,000 per unintentional violation to $5,000 per willful violation of the statute. Given the number of Facebook users in Illinois, the company could have faced the prospect of billions in fines if the case went to trial.

Facebook threw big resources into defeating the suit. Among those on its outside legal team from Mayer Brown LLP was one of the firm's top Supreme Court litigators, suggesting that Facebook had its eye on challenging the law in the nation's high court. Facebook's legal team at Mayer Brown declined to comment.

The Mayer Brown team had faced off with Edelson in an earlier landmark privacy case, Spokeo Inc. v. Robins, in which a California man said a company shared false information about him in violation of the Fair Credit Reporting Act.

Mayer Brown appealed that case to the Supreme Court, arguing that the plaintiff had not suffered material harm and lacked the right to sue in federal court. In 2016, the high court ruled in favor of Mayer Brown's client, Spokeo, concluding that the plaintiff needed to demonstrate harm, but not necessarily physical or material harm. The ruling left it open to lower courts to find that the mere taking of a person's biometric data without consent constituted sufficient harm to sue.

The high court's makeup shifted more conservative since that case. Throughout the proceedings in the Facebook case, the Facebook legal team seemed intent on getting another crack at a more favorable Supreme Court ruling on that same issue of harm that could substantially weaken the law's reach, Edelson said.

In their Supreme Court petition, Facebook's attorneys wrote that one plaintiff had testified that Facebook's facial recognition software was "a nice feature" that he did not wish to "opt out of."

"This was the most heavily litigated privacy case I've ever been involved in," Edelson said. "They were bringing a lot of arguments to bear where I don't believe they were expecting to win at the trial level. They were just trying to tee everything up for the Supreme Court."

When the 9th Circuit Court of Appeals found that the plaintiff had suffered sufficient harm to sue Facebook in federal court, the company filed the appeal that the Supreme Court declined to hear.

That the courts rejected Facebook's arguments is a reflection of the shifting legal and public conversation around biometric data. That conversation once revolved around the potential for problems like identity theft, that someone could, for instance, use a stolen copy of your data to access your bank account or otherwise impersonate you.

Today, people fear being publicly tracked and losing anonymity, which is why privacy advocates say the mere act of collecting biometric data without an individual's permission is sufficient to show harm.

Still, the matter is hardly settled law. Though the 9th Circuit Court of Appeals ruled against Facebook, other courts have ruled differently. Some Supreme Court watchers think the high court is waiting for the right case before weighing in again.

"That's a difficult situation for a tech company," Kugler said. "If I can't tell you whether this is against the law, it means you are going to get sued, and you might not win."