Facebook said on Wednesday that it had agreed to pay $550 million to settle a class-action lawsuit over its use of facial recognition technology in Illinois, giving privacy groups a major victory that again raised questions about the social network’s data-mining practices.
The case stemmed from Facebook’s photo-labeling service, Tag Suggestions, which uses face-matching software to suggest the names of people in users’ photos. The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept. Facebook has said the allegations have no merit.
Under the agreement, Facebook will pay $550 million to eligible Illinois users and for the plaintiffs’ legal fees. The sum dwarfs the $380.5 million that the Equifax credit reporting agency agreed this month to pay to settle a class-action case over a 2017 consumer data breach.
Facebook disclosed the settlement as part of its quarterly financial results, in which it took a charge on the case. The sum amounted to a rounding error for Facebook, which reported that revenue rose 25 percent to $21 billion in the fourth quarter, compared with a year earlier, while profit increased 7 percent to $7.3 billion.
David Wehner, Facebook’s chief financial officer, noted in an earnings call with investors that the settlement added to the social network’s rising general and administrative costs, which increased 87 percent from a year ago.
“We decided to pursue a settlement as it was in the best interest of our community and our shareholders to move past this matter,” a Facebook spokesman said in a statement.
Jay Edelson, a lawyer whose firm represented Facebook users in the facial recognition suit, said the settlement underscored the importance of strong privacy legislation.
“From people who are passionate about gun rights to those who care about women’s reproductive issues, the right to participate in society anonymously is something that we cannot afford to lose,” Mr. Edelson said.
The privacy settlement coincides with heightened public concern over the spread of powerful surveillance technology like facial recognition. Companies like Amazon and Clearview AI are marketing face-matching software to law enforcement agencies to help them identify unknown suspects. The American Civil Liberties Union and other groups have warned that the spread of such services could end people’s ability to remain anonymous in public.
The case also illustrates the protections that strong state laws may offer consumers. Of the three states that have stand-alone biometric privacy laws, Illinois has the most comprehensive one. It requires companies to obtain written permission before collecting a person’s fingerprints, facial scans or other identifying biological characteristics. The law also gives residents the right to sue companies for up to $5,000 per violation, which could add up to billions of dollars in payouts for tech giants that lose such class-action suits.
“The Illinois law has real teeth. It pretty much stopped Facebook in its tracks,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center, a nonprofit group that filed a brief in the Facebook case. “Tech firms and other companies that collect biometric data must be very nervous right now.”
Since the Illinois law was enacted in 2008, it has vexed companies that market voice assistants, doorbell cameras, photo labeling and other technology that may collect biometric details from people without their knowledge or consent.
Many of the companies have argued that people should not be able to sue over violations of a consumer privacy law if they cannot prove they suffered concrete harms like financial losses. Facebook made similar claims in the facial recognition lawsuit, including in a petition in December asking the United States Supreme Court to review the case. The Supreme Court last week denied Facebook’s appeal.
But last January, in a case against an amusement park that had collected and stored a child’s fingerprints, the Illinois Supreme Court ruled that violating a person’s biometric privacy could constitute a harm in and of itself, enabling consumers to pursue privacy claims. An appeals court judge later issued a similar ruling in the Facebook case, denying the company’s bid to have the lawsuit dismissed.
“Courts have recognized that the very loss of control over this highly sensitive, highly personal information itself causes harm to people,” said Nathan Wessler, a staff attorney at the American Civil Liberties Union, which also filed a brief in the Facebook case.
Facebook has been dogged by complaints over its use of facial recognition since 2010, when it rolled out Tag Suggestions as the default option for users. People could turn it off, but privacy experts said the company had neither obtained users’ opt-in consent for the technology nor explicitly informed them that it could benefit by, for instance, using scans of their photos to improve its face-matching technology.
In 2012, Facebook deactivated the technology in Europe after regulators there raised questions about its consent system. Last year, as part of a $5 billion settlement with the Federal Trade Commission over privacy violations, Facebook agreed to provide “clear and conspicuous notice” about its face-matching software and obtain additional permission from people before using it for new purposes they had not agreed to.
In 2018, Facebook reintroduced facial recognition as an option for users in Europe. Last year, Facebook updated its facial recognition notices and settings for certain users, providing more details on how it uses the technology.