You've probably gotten the email hundreds, if not thousands of times. Facebook sends you a message letting you know that someone you're friended with tagged you in a photo. Chances are, whoever did it was responding to a suggestion from Facebook, which used its database of a almost a trillion images and its powerful facial-recognition algorithms to recognize your face and suggest the tag to your friend.

There's only one problem: If you happen to live in Illinois, that's probably against the law. Back in 2008, before facial recognition came into widespread use, Illinois passed the Biometric Information Privacy Act (or BIPA). It requires a private company that retains biometric identifiers to receive a "written release" to do so from anyone whose biometric information it keeps, and also to permanently destroy that information no later than three years after the person's last interaction with the company. Biometric information includes a voiceprint, retina scan, fingerprint, or "facial geometry." 

In other words, under BIPA, there's nothing wrong with Facebook keeping a trillion photographs in its database, or even more. But when it uses algorithms to recognize someone's face, it does it with facial geometry, and that violates the law, according to a lawsuit filed by three Illinois Facebook users.

Facebook responded with the following: To use Facebook, one must accept its terms of service, and one of those terms is that your relationship with Facebook will be governed by the laws of California. Nice try, but no such luck. A Federal court in California ruled yesterday that Facebook can't use its terms of service to supersede state law. If California law is applied, the court explains, "the Illinois policy of protecting its citizens' privacy interests in their biometric data, especially in the context of dealing with 'major national corporations' like Facebook, would be written out of existence."

Facebook is certain to appeal -- with vigor -- likely arguing the definition of facial geometry and other aspects of the case. If it stands, the decision will set a precedent that national (and international) technology companies must abide by the laws of all the states where they operate, which would do a lot to cramp their style. Indeed, Facebook has held off so far introducing facial recognition in Europe and Canada, presumably because of stricter privacy laws.

It will be interesting to see how this lawsuit progresses, especially given its implication that social networks and other Internet companies will have to abide by laws in every state where they have users. And though Facebook undoubtedly has the biggest database of faces and the most sophisticated facial recognition (even better than the FBI) it's not alone. Google and Shutterfly have also been sued over facial recognition in Illinois. And while Illinois and Texas are currently the only states that regulate uses of facial recognition, similar laws have been introduced or proposed in other states as well.

Stay tuned.

Published on: May 6, 2016
Like this column? Sign up to subscribe to email alerts and you'll never miss a post.