• by Wendy Davis  @wendyndavis, June 17, 2024

Siding with Meta Platforms, a federal appellate court on Monday refused to reinstate claims that the company violated an Illinois biometric privacy law by creating “face signatures” of non-Facebook users.

In a 20-page ruling issued Monday, a three-judge panel of the 9th Circuit Court of Appeals ruled that “face signatures” -- described in the opinion as “a string of numbers that represents a particular image of a face” -- aren't in themselves covered by the Illinois law.

“Because -- on the record before us -- face signatures cannot identify, they are not biometric identifiers or biometric information,” Circuit Judge Ryan Nelson wrote in an opinion joined by Danielle Forrest and Gabriel Sanchez.

The ruling stems from a class-action complaint brought against Facebook in 2018 by Illinois resident Clayton Zellmer.

He alleged that Facebook's former face-tagging system violated the Illinois Biometric Privacy Act, which restricts companies' collection and storage of voiceprints, scans of facial geometry, retina scans and other biometric data. Among other requirements, the Illinois law requires companies to obtain state residents' consent before collecting biometric data, and to make available a written data-destruction policy.

Zellmer's lawsuit centered on Facebook's former practice of scanning photos in order to identify the people depicted. The company rolled out facial recognition in late 2010, when it used technology to suggest people's names when they appeared in photos uploaded by friends.

In 2021, faced with privacy complaints, Facebook said it would stop using facial-recognition technology. That same year, the company agreed to pay $650 million to settle a different class-action biometric privacy lawsuit brought by Illinois residents who used the social media platform.

Zellmer alleged in his complaint that Facebook's system scanned all faces in photos -- users as well as non-users -- and then created facial templates that could be used to recognize anyone depicted in the photos.

But Facebook contended it was unable to identify non-users who appeared in photos.

“Facebook does not create, save, or store templates for non-users who appear in photos,” Facebook argued in written papers. “As a result, the face signatures derived from images of non-users like Mr. Zellmer cannot be -- and are not -- used to identify anyone.”

In April 2022, U.S. District Court Judge James Donato in the Northern District of California threw out Zellmer's claim that Facebook collected the faceprints of Illinois non-users without their consent, ruling that even if the allegations were true, Facebook lacked a practical means of contacting non-users to obtain their consent.

Donato initially allowed Zellmer to proceed with a claim that Meta violated the Illinois law by failing to post a written biometric data retention policy, but ultimately dismissed that claim in November 2022.

Zellmer subsequently asked the 9th Circuit Court of Appeals to reinstate his complaint.

In rejecting that request, the appellate judges noted that Meta presented evidence that face signatures couldn't be “reversed engineered” to identify people.

The judges pointed to a declaration by a product manager who described a face signature as "an abstract, numerical representation of a face crop that is computed by millions of pixel comparisons performed by the proprietary algorithm that Facebook has developed."

The product manager added in his declaration that it wasn't possible to identify non-users from their face signatures, according to the court.