An unusual Illinois privacy law is sparking lawsuits against tech companies like Shutterfly Inc. that use face-recognition technology. Last week, a federal judge ruled that one of those lawsuits may go forward. Mike Coppola/Getty Images for Shutterfly

Tech companies are fighting a battle for your face, but some are having a hard time keeping their noses clean. In a court ruling that could spell trouble for social networking companies that use face-recognition technology to tag and track photos of their users, a federal judge in Illinois is allowing a lawsuit against Shutterfly Inc. to proceed despite the company’s insistence its tagging software does not run afoul of a state privacy law.

The order, filed last week, marks the first time a court has interpreted an Illinois statute that prohibits companies from collecting and storing biometric data without first obtaining informed written consent. Shutterfly, facing a potential class action, had argued its face-recognition software does not violate the statute because it makes face scans from photographs, not actual faces. But that argument wasn’t enough to get the lawsuit tossed.

“It’s not going to be as easy as Shutterfly had hoped,” said Jeffrey Neuburger, a partner at Proskauer Rose in New York who focuses on technology law and who has been following the case.

The case in question centers on Shutterfly’s ThisLife cloud storage platform, which employs face-recognition technology to organize and manage photos. Facebook Inc., which uses comparable software to tag photos of its users, is facing similar lawsuits from Illinois residents. Like Shutterfly, it is arguing face scans derived from photographs are not covered under the state statute.

David Milian, a lawyer with Carey Rodriguez who is leading the case against Shutterfly, says not so fast. “There are serious privacy concerns related to the unauthorized capture and storage of biometric data by these companies, and currently Illinois is the only state to allow private citizens to sue,” he said in a statement Thursday. “The data privacy concerns are enormous. You can always change your password or get a new credit card or Social Security number if these websites are hacked, but you can't change your facial geometry.”

A spokeswoman for Shutterfly declined to comment on the last week’s order, citing a policy of not commenting on litigation. Facebook has said the lawsuits against it are without merit.

The Facebook logo is seen reflected in a woman's sunglasses. Kiran/AFP/Getty Images

Contentious Faceoff

Illinois has emerged as something of a ground zero in the fight over face recognition. It is one of only two states, the other being Texas, that regulates the use of biometric data by private companies. State lawmakers there passed the Biometric Information Privacy Act, or BIPA, in 2008, a time when far fewer people were talking about biometric data, which includes fingerprints, voice patterns and iris scans, in addition to faceprints.

BIPA went relatively unnoticed until last year when an enterprising privacy lawyer known for going after tech companies filed a lawsuit accusing Facebook of collecting and storing “faceprints” — or geometric scans of people’s faces — in violation of the law. Other lawsuits followed, putting BIPA at the center of a contentious debate between privacy advocates, who say lawmakers need to move more quickly to regulate emerging biometric technologies, and tech leaders, who say consent requirements would be unnecessarily cumbersome.

Fueled by wearable devices and health trackers, the global biometrics market is expected to skyrocket in the next five years, hitting $44.2 billion in 2021 compared to $7 billion in 2014, according to the market research firm ReportsnReports. But opinions on how to regulate the technology differ. A number of privacy organizations last June withdrew from discussions with tech trade associations after the two sides reached an impasse over face recognition.

Meanwhile, there is no real consensus on what biometrics are and what they are not. Under BIPA, “faceprints” are clearly defined as biometric identifiers, but “photographs” are exempt. That leaves faceprints made from photographs — like those collected by social media companies — in a somewhat murky area. Despite the lack of clarity, the order filed last week found the plaintiff suing Shutterfly “has plausibly stated a claim for relief under BIPA.” In other words, the complaint has at least enough merit for a judge to let it proceed.

It’s a blow to Shutterfly’s argument, and by extension Facebook’s, but the biometrics battle is far from over. The real test will come as the cases are litigated in court and lawyers on both sides argue over the true meaning of a statute written eight years ago, a lifetime by technology standards.

“I think the court has a difficult job,” Neuburger said. “They’re applying the words of a statute that don’t clearly express the intent for this kind of activity. I don’t think this was intended to cover social media.”

Christopher Zara covers media and culture. News tips? Email me. Follow me on Twitter @christopherzara