Facebook could be in trouble as a class-action suit against Shutterfly, brought by a Chicago man, is now able to move forward. The claim relates to alleged misuse of biometric data by the company. Facebook uses similar technology to Shutterfly for face recognition, so if this case has a positive outcome for the plaintiff, it could mean difficult times ahead for Facebook, which currently has similar claims against it.
The collection of biometric data collected by Shutterfly is used to create databases of “faceprints,” allowing for quick and easy identification of people in photographs. The faceprint creates a unique ID for each person in a picture that is similar to a unique fingerprint. The Chicago man claims that while he’s never used Shutterfly before, the company has used group pictures uploaded by others to create a faceprint of him without his consent.
Illinois is one of three states in the United States to have laws restricting the use of biometrics. The claim brought by the Chicago man also includes an allegation that Shutterfly is violating Illinois’ law forbidding companies from collecting biometric data without permission of the individual. However, in Illinois there is an exception to this law, for biometrics collected from photographs, that Shutterfly feels they should fall under. However, the judge declined to apply this exception here.
There are some legal scholars who are skeptical of how far the case will go, believing that this is the direction technology is heading, and that it’s just reality. There is also a belief that the Illinois exception should have been applied here. However, this technology can likewise be viewed in the negative and as a violation of privacy. For large privacy advocates, such as governments in Europe and the Government of Canada, this is unacceptable. Canada and many European countries do not allow Facebook tagging in an attempt to protect the privacy of their citizens.
This case against Shutterfly is very similar to a suit brought directly against Facebook regarding a feature of Facebook that uses faceprint recognition technology, inviting people to “tag” their friends in pictures they have uploaded. Facebook is arguing that in this instance the law of California, where the case was transferred to, should apply. California does not have biometric limits as found in Illinois.
So far, it is unknown whether or not this class action suit against Shutterfly will in fact progress any further, or if Shutterfly will be able to find a way to settle before then. There are many on either side of the fence, who find the technology to be both incredibly beneficial and also a direct invasion of personal property.
For more information about biometric data on the Internet and the possible challenges to be faced in the near future contact Revision Legal’s Internet attorneys through the form on this page or by calling 855-473-8474.
The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA), enacted in 2008, is the nation’s most litigated biometric privacy statute. BIPA prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric identifier or biometric information without first:
BIPA’s private right of action under § 20 allows any person aggrieved by a violation to sue for the greater of: (a) actual damages, (b) $1,000 per negligent violation, or (c) $5,000 per intentional or reckless violation—plus attorney fees. In 2023, the Illinois Supreme Court held in Cothron v. White Castle System, Inc., 2023 IL 128004, that a separate claim accrues each time biometric data is collected or transmitted in violation of BIPA, dramatically expanding per-incident exposure for class action defendants.
BIPA exempts from its definition of “biometric identifier” photographs and information derived from photographs. Shutterfly’s primary defense in the lawsuit was that its facial recognition faceprints were derived from photographs and therefore fell within this exception. The court rejected this argument because Shutterfly was using the photographs as an input to generate a distinct biometric template—a mathematical representation of facial geometry—that could function as a persistent identifier independent of any specific photograph.
Courts have since elaborated on the scope of the photography exception. The key distinction is between a photograph itself (exempt) and biometric data derived from a photograph and stored as a reusable template (not exempt). Technology companies relying on facial recognition should not assume the photography exception provides a safe harbor simply because their input data is photographic.
While Illinois’s BIPA remains the most litigated statute, other states have enacted or are considering biometric privacy laws. Texas enacted the Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code § 503.001, in 2009—but unlike BIPA, it provides no private right of action and is enforced only by the state Attorney General. Washington’s My Health MY Data Act (2023) expands biometric protections in the health context. At the federal level, Congress has repeatedly considered a federal biometric privacy law, though none has been enacted as of 2026.
Companies operating nationally must map which states’ laws apply to their users based on where users reside, where data is processed, and whether their technology qualifies as collecting “biometric identifiers” under each state’s definitions. These determinations require legal analysis specific to the company’s technology stack and data practices.
Any company that collects, stores, or uses facial recognition data, fingerprints, voiceprints, iris scans, or other biometric identifiers should take the following compliance steps:
If your company collects or processes biometric data and you have questions about BIPA compliance or exposure, contact Revision Legal at 855-473-8474 or fill out the contact form on this page. Biometric privacy litigation is one of the fastest-growing areas of class action practice, and early compliance planning is far less expensive than litigation.
Biometric privacy litigation under BIPA has exploded since the Illinois Supreme Court’s 2019 decision in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, which held that a plaintiff need not allege actual injury beyond a statutory violation to have standing under BIPA. This “no injury required” standing rule transformed BIPA from a modest compliance obligation into one of the most significant class action risks in the country. Companies facing BIPA class actions have settled for hundreds of millions of dollars—Facebook settled a BIPA facial recognition class action for $650 million in 2021; TikTok settled for $92 million in the same year. Any company with Illinois users that employs facial recognition, fingerprint scanning, or other biometric technology should treat BIPA compliance as a high-priority legal obligation. Contact Revision Legal at 855-473-8474 to discuss your compliance posture.
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
The EEOC confirmed that employers reopening businesses may conduct COVID-19 health screenings without violating disability discrimination laws. Here’s what’s allowed.
Read more about EEOC: Businesses Can Screen for COVID-19
Competitors scraping your e-commerce prices and SKUs is a growing legal problem. Revision Legal’s e-commerce attorneys explain your legal options for stopping scrapers and protecting your product data.
Read more about Protect Your E-Commerce Store from Price Scraping