The Ninth Circuit upheld a social media company’s win against BIPA claims regarding a tag suggestion feature, concluding that the facial signatures generated do not qualify as biometric identifiers since they’re not retrievable and cannot pinpoint non-users. This ruling aids technology companies in assessing their compliance with biometric regulations, clarifying the legal landscape surrounding non-user biometric data.
In a landmark ruling, the Ninth Circuit Court of Appeals upheld a social media company’s summary judgment victory concerning claims under the Biometric Information Privacy Act (BIPA). This case revolved around the platform’s “tag suggestion” feature that identifies users in uploaded photos by comparing them against existing user photos. The court concluded that the operation did not create a biometric identifier because the resulting “facial signature”—a numerical representation of a face—was ephemeral and non-identifiable for non-users, aiding technology firms in understanding their BIPA compliance obligations. The ruling is significant as it clarifies what constitutes a biometric identifier under Illinois law, especially amidst the rising legal risks associated with the collection and use of biometric data. BIPA requires explicit consent from individuals before the collection of biometric identifiers, but the Ninth Circuit’s analysis indicated that merely processing an image into a facial signature does not invoke BIPA protections for non-users. This distinction marks a critical development in jurisprudence related to biometric privacy in the U.S., providing needed clarity for technology providers in a rapidly evolving digital landscape. In examining the use of facial signatures, the court determined these structures could not be reverse-engineered to identify individuals, thus confirming their non-biometric nature as defined by BIPA. Moreover, the court highlighted the inherent inaccuracies of facial recognition technology, which can predict characteristics like age or gender but cannot definitively identify a person. This understanding directs technology companies to reassess their compliance strategies with respect to privacy risk and indicates the necessity of a collaborative approach between legal and technical teams to mitigate BIPA-related liabilities. The Ninth Circuit disagreed with the district court’s earlier justification for dismissing the claims based on a practical impossibility of obtaining consent from every individual in an uploaded image, emphasizing that BIPA requirements apply broadly to any biometric identifiers the platform might hold, regardless of user status. This ruling reflects a significant and nuanced approach to interpreting biometric privacy laws that will likely influence future litigation in this area.
The Illinois Biometric Information Privacy Act (BIPA) is a regulatory framework that governs the collection and use of biometric data, such as facial recognition data, requiring companies to obtain explicit consent from individuals whose data is collected. As biometric technology advances, more cases arise concerning violations of this law, particularly as they relate to the consent mechanisms for non-users. The Ninth Circuit Court’s ruling not only signifies a judicial interpretation of BIPA but also sets a precedent for how technology companies can navigate compliance amid ongoing technological advancements.
The Ninth Circuit’s ruling represents a pivotal moment in interpreting BIPA, clarifying that facial signatures used in social media tag suggestions do not constitute biometric identifiers under the law, provided they are not retrievable post-operation. This outcome provides much-needed guidance for technology companies that utilize biometric technology, emphasizing the importance of understanding legal frameworks as they apply in practical scenarios. Furthermore, companies are advised to foster collaboration between their legal teams and technology developers to navigate the complexities of privacy risks effectively.
Original Source: www.mintz.com
