Biometric data lawsuits: Meta’s $1.4 billion settlement and the broader picture

There is a growing wave of class actions across the United States centring on biometric data.

Plaintiffs are increasingly bringing complaints alleging privacy violations of their biometric data. 

To date, biometric data lawsuits have centred in Illinois, which has two landmark pieces of state legislation: the Biometric Information Privacy Act 2008 (BIPA) and the Genetic Information Privacy Act 1998 (GIPA).

Bucking this trend, the Texas Attorney General brought a claim related to biometric data against Meta in 2022. This claim settled in July 2024 for $1.4 billion – the largest settlement to date.

Here, Clyde & Co partners Rosehana Amin and Meghan Dalton and trainee solicitor Adam Leese consider the key implications for the insurance industry arising from the landmark settlement and how it sits within the wider picture of lawsuits concerning biometric data.

Background

The Texas Attorney General brought a suit against Meta in February 2022, alleging Meta had violated the Texan Capture or Use of Biometric Identifier Act 2009 (CUBI). CUBI regulates the collection, use and storage of biometric data. This includes iris scans, fingerprints, and voiceprints.

The Attorney General’s claim centred on allegations that Meta had illegally collected Facebook users’ biometric data through a facial recognition tool which it introduced in 2010. This tool allowed users to tag friends in photos and videos uploaded to Facebook. It was also used in a Facebook app called “Moments”, which allowed users to collate and share photos. 

Facebook withdrew the facial recognition tool in November 2021. This followed a decision by a Federal Court in California to approve a class action settlement valued at $650m regarding violations of biometric data protection in respect of the facial recognition tool.

On 30 July 2024, the Texas Attorney General announced it had reached a settlement with Meta for $1.4 billion. This is the largest settlement achieved by any state regarding data privacy. 

We understand that Meta has now paid out over $2 billion in total for biometric privacy claims.

The wider picture

The Texas settlement sits alongside a growing number of lawsuits relating to biometric data. We set out some recent examples below.

Ready Player Me

On 16 July 2024, a putative class action was filed in Illinois against Ready Player Me which anticipates up to 20,000 potential class members. Ready Player Me is a platform used by thousands of companies enabling users to create personalised avatars (i.e. digital likenesses of themselves) to use as a character on other web-based platforms. This includes video games, virtual reality apps, and business tools.

Users upload a selfie to the platform which “magically creates a personal avatar” with just one click. To do so, the platform scans the user’s facial geometry to create a digital rendering of their face.

However, the putative class action alleges that Ready Player Me scanned, stored, and used users’ biometric data without first obtaining their written, informed consent in violation of BIPA. Interestingly, this putative class action was filed shortly before the Illinois legislature amended BIPA on 2 August 2024, which significantly curbs the potential for large damages. Notably, the Illinois legislature has placed a per-person cap on the BIPA statutory damages no longer allowing damages to be cumulated “per-violation.” That being said, amendments to legislation typically do not have retroactive application unless specifically stated within the language of the amendment. The amendment is silent as to any retroactive application. 

We await the Court’s ruling as to certifying the class action. 

Google G-Suite for Education

A class action lawsuit was filed in Illinois against Goggle in April 2020 alleging that Google had violated state and federal privacy laws.

The lawsuit alleged Google had “infiltrated” schools across the United States by providing Chromebooks to over half of the country’s students. The Chromebooks were pre-loaded with “G Suite for Education”, an education platform provided by Google.

Google purportedly collected children’s biometric data including facial scans, voice data, and search histories without their permission through the Chromebooks.

Google was denied its motion to dismiss the lawsuit in April 2022.

Subsequently, the parties entered into mediation and agreed a settlement in July 2024. The value of this settlement is currently unknown. 

Implications

There is an ever-growing number of biometric data lawsuits, with new developments appearing on a regular basis. Policies – including Bermuda Form policies – for general public liability typically incorporate liability arising from an invasion of the right of privacy into the scope of cover. We advise insurers to keep a watch on developments in the biometric data space and keep policy wordings under constant review to safeguard against a likely continued rise in coverage claims.