After Facebook introduced “Tag Suggestion” as a default feature, some users began to feel uncomfortable. Facebook’s tagging system works by utilizing facial recognition to analyze images and develop a unique number, or template, for each individual. Although users have the ability to opt-out, Facebook still launched the feature without getting people’s explicit permission. 

In 2015, Illinois residents filed a class-action lawsuit. Within it, the plaintiffs brought up Illinois’ Biometric Information Privacy Act (BIPA), which is one of the United States’ most powerful privacy laws. BIPA bars companies from collecting, using, or sharing a person’s biometric information without their informed consent — the plaintiffs argued that Facebook’s tagging system was in violation of the law. 

Facebook moved the case from Illinois to California, where the company is currently headquartered, and tried to halt the lawsuit. A recent unanimous decision from the 9th U.S. Circuit Court of Appeals in San Francisco determined that the lawsuit can proceed. According to TechCrunch, the company is now facing billions of dollars in potential damages. 

People feeling discomfort with Facebook’s use of facial recognition is valid. After all, as BIPA points out, “biometrics are unlike other unique identifiers.” For example, having your social security number compromised is a major pain, but you’re able to change it. You can’t change your face, though.

In other words, if somebody’s biometric information is compromised, “the individual has no recourse, [and] is at heightened risk for identity theft.” Let’s face it, Facebook doesn’t have the best track record when it comes to protecting people’s data or privacy.

One of the biggest things about this ruling is it sets new standards for no longer waiting for companies to mess up or leak data before users have the right to protect themselves. According to the Electronic Frontier Foundation, the appellate court wrote:

“Taking into account the future development of [facial recognition] as suggested in Carpenter, it seems likely that a face-mapped individual could be identified from a surveillance photo taken on the streets or in an office building. Or a biometric face template could be used to unlock the face recognition lock on that individual’s cell phone. We conclude that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

Although this ruling allows the lawsuit to proceed, people should still be aware that Facebook probably has one of the largest facial recognition databases in the world. This should raise privacy concerns not just with Illinois residents, but across the nation as well.

Other companies have used photos to train facial recognition without people’s consent, and some even sold that technology to the military, police, and private companies. Photo-sharing site Ever did so, and IBM scrapped photos from Flickr to do it too. If Facebook has a massive database, it’s unclear what the company could choose to do with it.

Facebook plans to appeal the court’s decision, citing the fact that people are able to turn the tagging system off. However, the case should serve as a larger warning for not only the general public but regulators and those in positions of power.

People should not have to wait for Facebook to either have a privacy scandal involving its facial recognition dataset or for some other type of harm to take place. There needs to be stronger protection, and companies like Facebook shouldn’t be given free reign — especially when it comes to our faces.