Zellmer's lawsuit against Facebook (now Meta) under the Illinois Biometric Information Privacy Act (BIPA) for violating his privacy rights shares similarities with the "In re Facebook Biometric Information Privacy Litigation" (case no. 15-cv-3747-JD), which was overseen by the same court for many years. That case concluded with Facebook agreeing to a $650 million settlement for Illinois users. However, a key distinction in Zellmer's case is that he never registered for a Facebook account or used its services, resulting in a completely different outcome. Below is a detailed analysis of Zellmer's case.
Case Background
In 2010, Facebook launched a feature called Tag Suggestions. If a user enabled Tag Suggestions, Facebook would analyze whether the user's Facebook friends were in the photos uploaded by the user, and if matched, Facebook would suggest tagging the friends. The Tag Suggestions feature operates in four steps. The first step is the detection phase, where Facebook analyzes the photo to determine if it contains a face. If Facebook detects a face, it generates a cropped image of the face. No further action is taken in this phase. The next step is the alignment phase, where Facebook standardizes any cropped face image by centering, forward-moving, and scaling it. Facebook does not always successfully standardize detected faces in photos, but if successful, Facebook moves to the crucial third step—the representation phase.
Facebook creates a "face signature," a string of numbers representing a specific face image. These numbers do not display facial features or distances between features; they are an abstract numerical representation of the aligned face crop created in the previous phase. No one, including Facebook, can reverse-engineer the numbers constituting a specific face signature to obtain facial information about a person.
The final step is the classification phase, occurring immediately after the creation of the face signature. Facebook compares the face signature with face templates of users who have enabled face recognition and are connected to the user who uploaded the photo, creating the face signature, not comparing it to non-users. Regardless of the result of the comparison, the face signature is immediately deleted.
Zellmer's photo was uploaded to Facebook by his friend, and because his friend had enabled the Tag Suggestions feature, Zellmer's photo was scanned and matched. Zellmer, being a non-user, was not tagged by Facebook. However, Zellmer later sued Facebook, alleging that the Tag Suggestions feature violated his privacy rights and made two claims under BIPA. First, he alleged under section 15(a) that Facebook "possessed" biometric data but did not publish a satisfactory "retention schedule." Second, he alleged under section 15(b) that Facebook "collected" or "captured" biometric data without proper consent.
The district court granted summary judgment on Zellmer's claim under section 15(b), finding that the statutory provision does not protect the privacy interests of non-users and that the legislative intent of BIPA was "not to impose special burdens on businesses." The court denied summary judgment on the claim under section 15(a), finding that there were factual disputes needing resolution through a full trial process.
Legal Analysis
BIPA Section 15(a): Private entities in possession of biometric identifiers or biometric information must develop and make publicly available a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, the entity must comply with its established retention schedule and destruction guidelines.
BIPA Section 15(b): No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first:
- Informs the subject or the subject’s legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
- Informs the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used;
- Receives a written release executed by the subject of the biometric identifier or biometric information or the subject’s legally authorized representative.
1. Legislative Intent of BIPA
1.1 Widespread Use of Biometric Security Applications
Biometric technology verifies identity by analyzing and recognizing personal biological characteristics such as fingerprints, faces, and irises. Due to its uniqueness and difficulty to forge, biometric technology has significant advantages in security applications and is becoming increasingly prevalent. Individuals, schools, hospitals, businesses, and governments increasingly use biometric security applications.
Although biometric security applications vary, they all detect biometric information to distinguish registered individuals from unregistered ones. This inevitably requires scanning unknown individuals whom the biometric security system has never encountered, and system owners cannot notify or obtain written consent from these individuals.
1.2 Applicability of BIPA
The Illinois legislature enacted BIPA to encourage the development and use of biometric technology while protecting the privacy of Illinois residents, particularly biometric data related to financial accounts. This legislative intent is reflected in BIPA's text and structure, indicating that it covers only certain types and uses of biometric data. Specifically, BIPA does not regulate biometric scans that are not used to identify individuals or scans where the data is immediately deleted.
BIPA does not apply to transient scans or biometric identifiers or biometric information that is instantly deleted. It applies only to information retained by biometric applications. This must be understood in conjunction with the definitions of relevant terms like "possess" in Section 15.
For example, BIPA does not define the meaning of "possess" biometric data under Section 15(a). Therefore, the term should be understood in its ordinary sense. According to the Illinois Supreme Court, the ordinary meaning of "possess" is "to have or take into one's control or hold," or "the fact of having or holding property" or "the exercise of control over property." In this case, Facebook's Tag Suggestions program deletes the biometric data after identifying users, meaning this transient scan does not meet the level of "possession" under BIPA, nor does it meet higher levels such as "collecting" or "storing," hence posing no risk of being sold or disclosed.
2. Court's Interpretation of BIPA in the Zellmer Case
2.1 BIPA Only Regulates Biometric Programs Between Businesses and Users
BIPA aims to apply to interactions between businesses and customers, meaning it applies to situations where there is at least minimal known contact between an individual and an entity that may collect biometric information. Zellmer and similar non-user entities are complete strangers to Facebook. The legislature did not intend for BIPA to govern all biometric applications. BIPA aims to achieve this goal through tailored regulations on the use of certain types of biometric data in certain situations, as reflected in the Illinois Supreme Court's ruling that BIPA should not impose special burdens on businesses.
2.2 Practical Issues with Zellmer's Claim
Zellmer argues that facial recognition without written consent may violate BIPA, but this view faces several practical problems. Firstly, requiring Facebook to identify and contact every non-user for consent is unrealistic, significantly increasing platform operating costs. Moreover, contacting non-users would require obtaining their contact information and matching it with their photos, infringing on personal privacy. Secondly, Zellmer's suggestion of using Illinois users as the "legal authorized representatives" for non-users to confirm consent is impractical and not clearly outlined by BIPA. Additionally, requiring users to obtain written permission from every person in a photo before scanning faces in public photos shared on social media is nearly impossible, as it demands users to rigorously scrutinize and obtain consent from every face in the photo, severely limiting the freedom to share everyday life photos on social media. Therefore, Zellmer's interpretation presents insurmountable practical difficulties, making biometric security applications unable to meet legality requirements if adopted.
2.3 Scan Results That Do Not Identify Specific Individuals Are Not "Biometric Identifiers" or "Biometric Information"
BIPA regulates private entities collecting or storing certain types of biometric data, including requiring informed consent for collection and publishing retention schedules. According to the text, BIPA only regulates "biometric identifiers" and "biometric information," which are limited to data used to identify specific individuals. If a biometric system scans data that cannot be used to identify the person—because the person is not registered in the system, for example—this data does not constitute "biometric identifiers" or "biometric information" as defined by BIPA.
From the legal text interpretation principles, court interpretation of legal provisions should follow "common sense" and avoid "absurd, inconvenient, or unjust results." First, legal term interpretation should start with a literal interpretation. BIPA Section 10 defines "biometric identifiers" as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. The listed items in this definition are all means of identifying specific individuals. For example, "voiceprint" is explained in Black's Law Dictionary as "a unique, machine-formed curve and spiral pattern by measuring human voices to identify individual speakers."
Second, when literal interpretation is ambiguous, a "contextual" systematic interpretation method can be used. The same section defines "biometric information" as any information based on biometric identifiers used to identify an individual, regardless of how it is obtained, converted, stored, or shared. Adding the phrase "used to identify an individual" to the definition of "biometric information" suggests that "biometric identifiers" and "biometric information" should be understood together to exclude biometric data not used to identify specific individuals.
This understanding of BIPA's key provisions is further confirmed when "reading the statute as a whole and considering all relevant parts." Section 15(e) requires treating biometric identifiers and biometric information with the same standard as "other confidential and sensitive information." BIPA Section 10 defines "other confidential and sensitive information" as "personal information that can be used to uniquely identify an individual or an individual's account or property." Therefore, BIPA can be seen as a "harmonious whole" only if "biometric identifiers" and "biometric information" are limited to biometric data used to identify specific individuals, just like "other confidential and sensitive information." Additionally, the codification framework of BIPA incorporates common law privacy rights, defining privacy infringements as involving "identifiable information about the plaintiff."
Third, from the legislative purpose perspective, BIPA Section 15(b) requires entities collecting biometric data to inform individuals of the reason for the collection and obtain written consent. The legislature could not have intended to apply this informed consent requirement to individuals from whom consent cannot be obtained due to the system's inability to identify them.
3. Court Did Not Grant Summary Judgment on Zellmer's Second Claim
The dispute between Zellmer and Facebook involved significant factual issues needing resolution through trial. For example, Facebook argued that face signatures were deleted if they did not match existing face templates, while Zellmer countered that Facebook stored biometric information for future use. Zellmer claimed that all steps of Facebook's facial recognition technology and resulting data constituted face geometry scans, which Facebook denied. Furthermore, there was a dispute over whether face signatures could identify non-users. A Facebook engineer stated that face signatures were useless for identifying unknown faces as they could only be used with Facebook's existing face templates, which Zellmer disputed.
In conclusion, the court dismissed Zellmer's claims.
Compliance Recommendations
As the court noted in this case, biometric applications are becoming increasingly widespread, bringing significant convenience while raising numerous privacy concerns. The Illinois Biometric Information Privacy Act (BIPA) sets clear legal frameworks for the collection, storage, and use of biometric information, but the most important condition is that businesses need to comply with BIPA only when collecting and using biometric data that can identify specific individuals.
When applying biometric systems, businesses may face privacy compliance risks, including collecting data without consent (from identifiable individuals), data breaches, lack of transparency, and data retention issues. These risks could lead to privacy infringements, legal disputes, and reputational damage. To mitigate these risks, businesses should take several measures, including obtaining explicit written consent from data subjects before collecting biometric information, developing and publicly disclosing policies for the collection, use, and protection of biometric data, enhancing data security measures like encryption and access control, establishing and adhering to data retention and destruction policies, and having contingency plans for rapid response and action in case of data breaches. Additionally, businesses should collect only the data necessary for business purposes and limit the storage duration to minimize potential privacy risks. Through these comprehensive measures, businesses can effectively utilize biometric technology while ensuring personal privacy protection, reducing litigation and reputational risks.
Kaamel's Assistance
Kaamel is always at the forefront of privacy protection, and we believe in helping businesses identify and address privacy compliance risks through technology-driven methods.
Kaamel's innovative AI detection engine, based on mainstream regulations and regulatory case law, can help businesses quickly and comprehensively identify their privacy compliance risks. Kaamel also provides comprehensive privacy compliance solutions, helping businesses effectively address regulatory and user needs in their international operations, reduce privacy risks and compliance issues, and establish privacy trust in the global market.