Facebook is to pay $550 million to Illinois Facebook users, after settling a lawsuit that targeted the company’s automated face-tagging system. Three Illinois men sued the company for violating Illinois’ Biometric Information Privacy Act.

Facebook’s software uses facial recognition technology to match individuals’ faces to their information. In Illinois, however, this technology is illegal to use without gaining the consent of users before collecting biometric information, including fingerprints and facial recognition. 

Facebook settled this case by agreeing to pay a fine of $550 million to the state of Illinois, but no other restrictions were placed on the company, as their data aggregations will continue to work in the same way. 

“That’s like me paying a parking ticket,” said Jaime Andrade, member of the Illinois House of Representatives and chairperson for the Illinois Committee of Cybersecurity, Data Analytics and IT.

Illinois stands as one of three states that have set legislature for biometric data. Even so, it is the only state that allows individuals to file lawsuits against tech companies. 

“It’s what I believe to be one of the strongest laws in the country,” Andrade said. 

In this unique way, it creates a private right of action for those who want to protect their online privacy. 

“In Washington and Texas, that have similar laws, only the state attorney’s general can bring a lawsuit,” said Jay P. Kesan, director of the University Program in Intellectual Property and Technology Law. 

One of the biggest problems, Kesan added, is that most people don’t realize how data is being aggregated and coordinated to get a complete picture of an individual. It’s a commonality to skip over the terms and conditions when using an internet platform, blindly agreeing to private data storage or sharing. This allows companies to set their own restrictions with limited repercussions from their users. 

“A lot of these agreements and terms of service that people consent to will very often say that they will share the information with authorized or specific affiliates, or third parties that they deem to be appropriate,” Kesan said. “Very often you don’t realize it, but you agree to it.”

Especially when it comes to the internet platforms that are free, such as Facebook, Instagram or Google, users seem to overlook the true cost of data collection. Personal data can be monetized and sold to third-party tech companies that store complete profiles on internet users. 

“No app is free,” Andrade said. “Nothing is free.” 

In light of the Facebook settlement, a class action suit against Clearview AI, a tech company that provides facial recognition software, is being built for its similar violation of Illinois’ BIPA. The class action complaint states that Clearview “actively collected, stored and used Plaintiffs’ biometrics — and the biometrics of most of the residents of Illinois — without providing notice, obtaining informed written consent or publishing data retention policies.” 

Clearview has collected a database of more than three billion photographs that it aggregated from Instagram, Facebook, Venmo, Twitter, Youtube and millions of other websites. 

“They’re downloading all the stuff that’s publicly available,” Kesan said. “It doesn’t appear to be limited to what is just publicly available.”

Contrastingly, Clearview’s website claims that they are in “full compliance with the law;” however, considering that only three U.S. states have legislation on biometrics and that data aggregation is a still-evolving discussion, Clearview is one of many companies that still gets away with collecting biometrics. 

“No matter what laws we pass, no matter what regulations we pass, there is now an industry in the dark web that literally is set up to steal data,” Andrade said. 

[email protected]