By: Charlie O’Toole
Responding to these articles:
http://fortune.com/2015/06/18/shutterfly-lawsuit-facial-recognition/
In June, 2015, Brian Norberg filed a class action lawsuit in Illinois federal court claiming that Shutterfly, an online vendor of photo prints, had violated an Illinois statute governing the collection of biometric data. The case, Norberg v. Shutterfly, Inc., Case No. 15-cv-5351 (N.D. Ill.), came about when Norberg somehow noticed that, despite his never having used Shutterfly himself, the website had employed facial recognition software to analyze and store a record of his face from a photograph uploaded and tagged with his name by an acquaintance. Judge Charles Norgle, of the Northern District of Illinois, denied Shutterfly’s motion to dismiss in an order dated December 29, 2015.
This case, along with a handful of similar ones filed recently, rely on an Illinois statute that requires companies to disclose to consumers when they collect biometric data (such as fingerprints or voice recordings) and how that data may be used. 740 Ill. Comp. Stat. 14 (2008). Illinois and Texas are so far the only two states with laws expressly governing the collection of this kind of data. David Almeida and Mark Eisen note in their National Law Review article that the Illinois statute appears to be modeled in part on federal privacy statutes like Fair Credit Reporting Act, in that it provides a private cause of action, and also assigns relatively high statutory damages ($1,000–$5,000 per violation).
In United States v. Spokeo, Inc., No. CV12-05001MMM(JHx) (C.D. Cal., June 7, 2012), the FTC determined that an aggregator of personal information constituted a consumer reporting agency under the FCRA. Spokeo ultimately signed a consent decree, agreeing to pay a fine of $800,000 and reform its internal practices to comply with the FCRA, but its founder issued a credible statement claiming not to have known that Spokeo, which started as an aggregator of social media information, was regulated by the FCRA. Similarly, Shutterfly and its peer defendants in these more recent cases could plausibly have had no idea that a statute governing the collection of data gleaned from retinal scans and fingerprint readers could expose them to liability for using facial recognition software. Indeed, as Shutterfly pointed out in its motion to dismiss, the Illinois statute expressly excludes photographs from its scope, though Norberg successfully argued that a “faceprint” of the kind stored by Shutterfly’s software is not the same thing as the photograph itself.
Whatever the outcome of this round of privacy litigation, the Shutterfly case highlights the uneasy tension between the federalist/sectoral U.S. privacy law regime and the realities of an increasingly data-focused marketplace. On the one hand, consumers have reason for concern over the collection of more and more kinds of personal information. In particular, as new kinds of personal information become eligible for electronic collection, storage, and organization, various kinds of data aggregation may reveal or suggest information about people that they never contemplated disclosing, publicly or otherwise. On the other hand, the exploitation of “Big Data” is a major source of untapped social value, from businesses targeting advertising to consumers who are likely to be interested in their products, to analyzing anonymized health records organized by zip code in order to help prevent obesity. Caryn Roth et al., Community-level determinants of obesity, BMC Medical Informatics & Decision Making 14:36 (2014), http://www.biomedcentral.com/1472-6947/14/36.
Fragmenting U.S. privacy law by means of a sectoral system allows for the tailoring of legal standards for the public and private sectors, and for different industries that use information differently. In theory, this system could work better for industry and consumers, as laws can be tailored to strike the right balance between all the competing interests in each domain. The same benefits are often claimed for a federalist system of government—to take an example from the area of privacy law, the FCRA can set out a floor for acceptable data security, while individual states can strengthen one or more aspects of the law depending on their constituents’ special needs or preferences. It is arguably important for the U.S. to maintain its sectoral approach to privacy law to serve as a counterpoint to the E.U.’s influence in spreading an omnibus regime throughout much of the rest of the world. Having a major economic power using a different approach could serve as a good demonstration of the costs and benefits of each system. However, as industry continues to collect and configure data in new, unanticipated ways, deterrence effected by the threat of class actions, buttressed by the statutory damages imposed by most privacy-focused laws, may be a bridge too far.