Meta | Photo Tagging | Biometric Data

With the majority of people being on social media,[1] we all have encountered photo tagging in one way or another. The feature is most salient on platforms operated by Meta and whilst the mechanism was originally a manual process, whereby the user had to tag other individuals as they appeared in a photograph, Meta had released its ‘Tag Suggestions’ feature which through facial recognition, automatically tagged users as they appeared in photographs. The recognition technology is based on an analysis of faces in photos uploaded to their servers, which is then stored for future matches. When a match is found upon the uploading of a new photograph, the feature automatically tagged the identified individuals, streamlining the tagging process.

Back in 2019, this feature was the crux of a U.S. class action lawsuit, with the Judge ruling that such use “invades an individual’s private affairs and concrete interests”.[2]Subsequently, it rehashed the system to adopt the creation of a data string (what Meta calls ‘Face Signature’) to encapsulate the unique facial features of their users. Meta later disabled the automatic feature in 2021, opting for a suggestion-based approach, with the user having to opt-in to confirm the tagging, rather than having an automatic process, leaving us with the system we have presently.[3]

Zellmer v. META PLATFORMS, INC.

On June 17 2024, the latter ‘Face Signature’ system was scrutinised within the Ninth Circuit Court of Appeal (“the Court”). Specifically, the main argument comprised of whether or not such Face Signatures constituted to be biometric data under the Illinois Biometric Information Privacy Act (“BIPA”).

The plaintiff, Zellmer, a non-user of Meta’s platforms alleged that Meta had violated BIPA after his friends uploaded photographs which included him. Zellmer argued that the use of Face Signatures process falls squarely within the scope of BIPA's definition of ‘biometric identifiers’, thereby subjecting Meta to the Act's stringent requirements, most notably the requirement to i) publish a written policy establishing its retention schedule for such collected biometric data and ii) destroying any biometric identifiers or information on non-users like the plaintiff, in its possession.

Under BIPA, a private entity such as Meta may not "collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information" unless it:

  • Informs the subject or the subject's legally authorised representative in writing that a biometric identifier or biometric information is being collected or stored;
  • Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
  • Receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.[4]

Meta argued that BIPA applies exclusively to biometric identifiers and information that has the capability on identifying a person. As evidence, it provided a sample list of Face Signatures and purported its inability to identify non-users, comprising mainly of a long string of numbers with an impossibility of reverse engineering to derive any additional information.

The Court’s ruling diverges from the plaintiff’s interpretation. Indeed, the Court held that Meta's photo-tagging tool does not qualify as a biometric identifier under BIPA. The decision was grounded in the distinction between the Face Signatures used by Meta and the biometric data explicitly listed in BIPA. It argued that the plaintiff “never explained how he or any of the proposed class members are harmed by violations of this general duty in a "concrete and particularized" way”[5]. The Court added that: face signatures are neither biometric identifiers nor information, Zellmer is no more harmed by Meta's failure to have a retention schedule or guidelines related to the destruction of biometric identifiers or information than anyone else in Illinois.” [6]

This decision highlights the ongoing tension between technological innovation and privacy regulation; an influence on future BIPA cases is expected.

Undoubtedly, as facial recognition technology continues to proliferate across various sectors, the legal and regulatory frameworks governing its use will likely continue to evolve. This case serves as a reminder of the need for precise legislative definitions and most importantly, adaptable regulatory approaches to keep pace with such technological advancements. This ruling marks a pivotal moment in the ongoing discourse surrounding biometric data and its regulatory implications and will potentially have a ripple effect that will affect how private entities, such as Meta, navigate data privacy on a global scale.

News update by J.J. Galea

For more information and assistance on Data Protection & Privacy Law, kindly contact Dr Ian Gauci or Dr Terence Cassar.


[1] https://tvmnews.mt/en/news/79-of-the-maltese-population-use-social-media/

[2] https://news.sky.com/story/court-rejects-facebook-appeal-to-throw-out-facial-recognition-lawsuit-11781248

[3] https://about.fb.com/news/2021/11/update-on-use-of-face-recognition/

[4] 740 ILCS 14/15(b), https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

[5] Zellmer v. META PLATFORMS, INC. Court of Appeals, 9th Circuit 2024: https://scholar.google.co.uk/scholar_case?case=5646999632272262904&hl=en

[6] ibid

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content