Facebook has agreed to pay a massive half-billion dollar settlement as a result of violating Illinois consumer privacy laws. This hefty fine was in lieu of a threatened $35 billion penalty that might have been imposed. The substance of the claim was that Facebook improperly appropriated and used biometrics, including facial recognition, without first getting user approval.
The Illinois settlement is the second major privacy violation that Facebook has been hit with in less than a year. Over the summer, the FTC announced a $5 billion settlement. The Illinois case was filed in 2015 and Facebook pushed back, saying that the Illinois Biometric Information Privacy Act (BIPA) was not applicable to a California company. The Court enthusiastically rebuked this argument.
There was suspicion that Facebook had engineered a lobbying campaign to take the teeth out of BIPA. During the pendency of the case, some Illinois lawmakers worked to amend BIPA to exclude digital images. This surprising and outrageous suggestion seems to have come from Facebook itself, who opposes any form of regulation. Facebook, of course, denies that it had anything to do with the proposed amendment.
Illinois was successful at trial and, in 2019, was again successful at the Circuit Court of Appeals. Facing the pressure of a potentially damning Supreme Court decision, Facebook instead decided to fold and settle the case $550 million. As part of the settlement, Facebook admits to no wrongdoing.
So, will this settlement change anything about Facebook’s business practices? To put this in context, the $5 billion FTC settlement from the summer represents the amount of money Facebook earns in a month. Given this type of revenue, there would seem to be little incentive for Facebook to change anything, despite the FTC and now Illinois settlements. In fact, it is hard to see how any financial penalty could incentivize better behavior. It may be that, until regulation provides for criminal penalties in lieu of massive fines, the fines will just continue to be paid.
For now, there is no doubt that the value of harvested biometrics far outweighs the risk of running afoul the scant regulation that does exist. The absence of enforcement on a Federal level is an invitation for Facebook and other bad actors (who are less likely to be targets) to continue to use ill-gotten private data for their own financial gain.