Image: Instagram

TikTok is not the only social media platform allegedly collecting and storing users’ biometric data – including their faceprints – without notifying them. In a newly-filed class action lawsuit, Instagram user Kelly Whalen claims that the Facebook-owned social media platform is in the business of “collecting, storing, and using users’ biometric information without [obtaining users’] informed written consent,” thereby, running afoul of the Illinois Biometric Information Privacy Act (“BIPA”). 

On the heels of Facebook agreeing to pay $650 million in order to settle a class action that accused the Mark Zuckerberg-founded company of “illegally harvesting the protected biometrics of users of its Facebook platform,” the tech giant is now on the hook over Instagram. According to the proposed class action lawsuit that she filed in a state court in San Mateo, California early this week, Whalen claims that by way of Instagram, Facebook is “actively collecting, storing, disclosing, profiting from, and otherwise using” the biometric information of its “more than 100 million users without any written notice or informed written consent, including millions of Illinois residents.” 

Whalen asserts that Facebook captures Instagram users’ “protected biometrics without their informed consent and, worse yet, without actually informing them of its practice” whenever they upload images to the platform, which it uses to “bolster its facial recognition abilities across all of its products, including the Facebook application, and shares this information among various entities,” including “various teams operating across [Facebook’s] own various platforms,” as well as third parties, including “other apps, websites, and third-party integrations, Facebook’s partners, including … vendors and service providers.” 

In term its own use, Whalen claims that Facebook “profits from Instagram users’ protected biometrics by using them to improve the accuracy of its own facial recognition services, to expand the datasets which enable its facial recognition software, and to cement its market-leading position in facial recognition and social media.” 

Beyond Instagram users, though, Facebook has “readily admitted” to collecting biometrics data from Instagram users of others. To be exact, Whalen claims that Facebook scans the “faces of unnamed people in [Instagram users’] photos or videos to analyze details of individuals’ faces and creates a corresponding ‘face template’ for each face, and then stores that face template for later use and/or matching it to those already in a database of identified people.”  As Instagram and Facebook users “continue to manually tag friends, family, and other people they recognize in a photograph, Facebook’s software automatically compares those images to the face templates in its database,” Whalen asserts. “If there is a match, Facebook may identify the user.” 

While Facebook claims said that “users are in charge of that process,” Whalen argues that in reality, “people cannot actually control the sophisticated facial recognition technology [Facebok uses] because Facebook scans their faces in photos and videos uploaded by other users, even if their individual facial recognition setting is turned off.” 

An excerpt from Facebook’s California Privacy Notice 

As for what information Facebook collects, Whalen states that “on January 1, 2020, Facebook published, for the first time, its California Privacy Notice for its California users as a supplement to its current Data Policy in compliance with California’s Consumer Privacy Act,” and in this notice, it “admits that any of the information disclosed within the California Privacy Notice may have been collected from [Facebook and Instagram] users over the past 12 months.” She further notes that “while only California currently requires these types of disclosures to consumers, the contents of the notice demonstrate that Facebook has been collecting biometric data from its Instagram users for, at minimum, the 2019 calendar year.”

The key problem with this, according to Whalen, is that while Instagram discloses its data collection and sharing practices in terms of service (something it allegedly did not do prior to January 1, 2020), it still does not have “a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with Facebook.” 

Moreover, it is legally problematic, she claims, that Facebook automatically collects and stores the faces of people that in appear in users’ photos when those people may not be Instagram users, and thus, have not agreed to the company’s terms of service. 

Both practices violate BIPA, which explicitly bans companies from collecting people’s biometric data, including faceprints collected via facial recognition scans, without their knowledge or consent, the lawsuit alleges.

As a result, Whalen wanted the court to grant her class action certification to enable other similarly situated individuals, namely, other resident of Illinois, to join her suit. In connection with her claims that Facebook violated various sections of BIPA, she is seeking $1,000 per violation – or as much as $5,000 per violation if it can be established that Facebook “acted recklessly or intentionally,” a sum that could easily reach into the millions of dollars given that Facebook has allegedly collected and used the biometric information of “millions of Illinois residents.” 

In response to the complaint, Stephanie Otway, a Facebook company spokesperson, said that the “suit is baseless,” and that “Instagram doesn’t use face recognition technology.”

*The case is Kelly Whalen v. Facebook, Inc., 20-CIV-03346 (Cal.Sup.).