Skip to Content
Subscribe Cybersecurity and Data Privacy Blog

Ninth Circuit Ruling Could Lower BIPA Risk but Threat Remains

On June 17, 2024, the Ninth Circuit Appeals Court ruled that Illinois’s Biometric Information Privacy Act (“BIPA”) does not apply to face scans that cannot be used to identify individuals. This decision is not binding on Illinois courts, but businesses that collect facial scans for purposes of access control other activities where non-matching biometric identifiers are discarded may find this case helpful. Complying with BIPA can be a complex effort with high legal risks. Businesses that collect biometric identifiers, like face scans and fingerprint scans, should engage with outside counsel to review compliance and mitigate risk.

In Zellmer v. Meta Platforms, Inc., the court held that Facebook did not violate BIPA when it created face signatures of individuals for its “Tag Suggestions” feature when those scans could not be used to identify non-Facebook users.  

BIPA regulates the collection, use, retention, destruction, and other processing of biometric identifiers. [1] Under BIPA a private entity can only obtain a customer’s biometric identifier or biometric information if it provides adequate notice to and receives written authorization from the individual. [2]

Businesses that collect biometric identifiers from people in Illinois (e.g., through fingerprint time clocks or facial recognition software) must comply with BIPA. As currently written, a business is liable for violating BIPA each time it improperly collects a biometric identifier, which, in the aggregate can lead to potential liability of millions of dollars. [3] The Illinois legislature recently passed an amendment that would limit BIPA liability to one violation per person per biometric identifier. [4] However, the bill has yet to be signed by the governor.

Facebook launched its “Face Suggestions” feature in 2010, which would automatically “tag” (or associate with another user’s Facebook profile) individuals in photos uploaded to Facebook. Facebook’s algorithm assigned a “face signature” to each detected face in a photo. A face signature is a series of numbers that are used to match faces to those of people with a Facebook account. The face signatures that were not associated with a Facebook profile were not saved and could not be used to identify anyone. The plaintiff in this case was included in a photograph posted to Facebook and claimed Facebook violated BIPA when it used its Face Suggestions tool on a photograph of him.

The Court held that a face signature is not a “biometric identifier” or “biometric information” under BIPA because face signatures of non-users could not be used to identify any individual.  As such, Facebook’s “Tag Suggestions” feature did not violate BIPA.

This decision is a win for Facebook and provides a helpful, persuasive case for businesses subject to BIPA. However, Illinois courts are under no obligation to follow this ruling. Businesses should consult with an attorney to evaluate whether their practices may violate BIPA and learn how to best avoid.

Blog co-authored by Summer Associate Oliver Rolfe. 


[1] 740 ILL. COMP. STAT. 14/5 (2024).
[2] 740 ILL. COMP. STAT 14/15(b) (2024).
[3] Cothron v. White Castle Sys., 216 N.E.3d 918 (Ill. 2023) (holding that a separate violation of BIPA occurs upon each transmission of a person’s biometric identifier or information without prior informed consent); [6] Richard Rogers v. BNSF Railway Company, 680 F.Supp. 3d 1027* (N.D. Ill. Jun. 30, 2023) (holding that cumulative damages of $228 million were awardable by calculating each occurrence as a separate violation).
[4] SN2979 (103rd Illinois General Assembly) (2023).
Share This Blog Post

Related Services

Data, Privacy, and Cybersecurity

Related Attorneys

See All Attorneys