Social Network or Social Nightmare: How California Courts Can Prevent Facebook's Frightening Foray Into Facial Recognition Technology From Haunting Consumer Privacy Rights Forever.

• Author: Brinckerhoff, Rosie

TABLE OF CONTENTS I. INTRODUCTION 107 II. BACKGROUND: A BRIEF GUIDE TO FACIAL RECOGNITION 112 TECHNOLOGY A. FACIAL RECOGNITION TECHNOLOGY--A BRIEF, TECHNICAL 112 OVERVIEW B. PRIVACY IMPLICATIONS OF FACIAL RECOGNITION TECHNOLOGY 113 C. FACEBOOK'S CURRENT CAPABILITIES WITH FACIAL 116 RECOGNITION TECHNOLOGY III. FACEBOOK FAILS TO EXPLICITLY INFORM CONSUMERS OF ITS USE 118 OF FACIAL RECOGNITION TECHNOLOGY: HOW THE COMPANY'S TERMS OF SERVICE AND DATA POLICY SATISFY THE CALIFORNIA STANDARD FOR UNCONSCIONABILITY A. THE DOCTRINE OF UNCONSCIONABILITY UNDER CALIFORNIA 118 LAW B. THE STANDARD FOR PROCEDURAL UNCONSCIONABILITY 119 1. FIRST CONSIDERATION: FACEBOOK'S TERMS OF 120 SERVICE AND DATA POLICY CONSTITUTE AN ADHESION CONTRACT 2. SECOND CONSIDERATION: FACEBOOK'S TERMS OF 122 SERVICE AND DATA POLICY ARE IMPOSED ON CONSUMERS IN AN OPPRESSIVE MANNER 3. THIRD CONSIDERATION: BY EXPLICITLY OMITTING 129 MENTION OF FACIAL RECOGNITION TECHNOLOGY IN ITS TERMS OF SERVICE AND DATA POLICY, FACEBOOK'S POLICIES CONTAIN A SURPRISE FOR CONSUMERS C. THE STANDARD FOR SUBSTANTIVE UNCONSCIONABILITY 133 1. FIRST CONSIDERATION: FACEBOOK'S TERMS OF 135 SERVICE AND DATA POLICY ARE AGAINST CALIFORNIA PUBLIC POLICY AND THE PUBLIC INTEREST 2. SECOND CONSIDERATION: FACEBOOK'S TERMS OF 137 SERVICE AND DATA POLICY IMPOSE AN UNREASONABLE AND UNEXPECTED ALLOCATION OF RISK 3. THIRD CONSIDERATION: THE LACK OF MUTUALITY IN 142 FACEBOOK'S TERMS OF SERVICE AND DATA POLICY IS NOT DUE TO A LEGITIMATE COMMERCIAL NEED IV. SOLUTION: WITH MULTIPLE LEGAL CHANNELS AVAILABLE, 143 CALIFORNIA COURTS ARE BEST POSITIONED TO STRIKE DOWN FACEBOOK'S PRIVACY-INVASIVE TERMS REGARDING THE COMPANY'S USE OF FACIAL RECOGNITION TECHNOLOGY A. OPTION NO. 1: UNCONSCIONABILITY 144 B. OPTION NO. 2: CALIFORNIA STATE CONSTITUTION AND PUBLIC 150 POLICY C. STATE TORT LAW: INTRUSION UPON SECLUSION 152 V. CONCLUSION 155 I. INTRODUCTION

The rapid explosion in the number of social media companies utilizing and implementing facial recognition technology has introduced many privacy risks associated with collecting and storing consumer biometric (1) data for commercial use. (2) The fundamental issue stems from the fact that "[i]n the U[.]S[.], there is no single, comprehensive federal law regulating privacy and the collection, use,... and security of personal information." (3) Rather, the United States has a piecemeal system with respect to consumer data privacy, consisting of industry-specific federal privacy laws, (4) state privacy laws, (5) and best practice guides (6) from various governmental agencies. (7) Fittingly, this fragmented approach to regulating consumer data privacy has best been described as a "patch-work quilt." (8) With a disjointed legislative framework and no broad federal law in place to regulate the collection and distribution of biometric data, consumer privacy is becoming increasingly vulnerable. (9)

As a result, operating with no real legal restraint and only under conditions of self-regulation, (10) social media companies are well-positioned to take advantage of unsuspecting consumers using social networking sites and applications. (11) As one legal scholar succinctly stated "we cannot justify leaving the protection of consumers in their henhouses to the foxes who are collecting and profiting from the aggregation, sale, and resale of all this formerly private consumer data." (12)

Although the problem is much more pervasive than one company alone, this note is limited to Facebook, arguably the goliath of social media due to its 1.86 billion (13) users. By maintaining vastly overreaching user agreements and privacy policies, to which consumers are required to assent on a take it or leave it basis, Facebook is essentially demanding that consumers choose between signing away any last semblance of their privacy or being ostracized from a growing community of billions of social media users worldwide. (14)

Because technological innovation and Internet reliance are unlikely to come to a halt, prospective action needs to be taken to protect consumer privacy before it is too late. (15) As Facebook continues its quest into storing, selling, and sharing arguably anything and everything it can about its users in order to turn a profit, more stringent laws and regulations governing what companies are permitted to collect, store, and use are more necessary now than ever. (16) However, because comprehensive federal consumer privacy legislation is unlikely to be enacted anytime soon, (17) this note serves to argue that intervention by the california judiciary is the best alternative in protecting consumer privacy from Facebook's overbearing Terms of Service and Data Policy. In addition to Facebook's forum selection clause mandating that any claims be resolved under California law "in the U.S. District Court for the Northern District of California or a state court located in San Mateo County," (18) California provides a uniquely situated forum for judicial resolution due to its proximity and history with technology litigation. (19)

Although "[t]he California legislature has introduced several bills that would directly regulate biometrics collection... due in part to industry pushback, none of these laws has moved out of the legislature." (20) For example, legislation proposed in 2011 in the California Senate "which would [have] require[d] a company that collects or uses 'sensitive information,' including biometric data, to allow users to opt-out of its collection, use, and storage [] faced stiff opposition from technology companies and their trade organizations." (21) In an opposition letter written in response to the proposed state legislation, the signing companies argued that "[p]rohibiting the collection and use of this data would severely harm future innovation in the state and harm consumers." (22)

Despite the fact that the industry desires to proceed unregulated in this modern-day race for data aggregation, the argument that consumer privacy comes at the expense of innovation is necessarily skewed. It is entirely possible to protect consumer privacy without stifling and impeding technological innovation; accurately stated by Federal Communications Commission (FCC) Enforcement Bureau Chief Travis LeBlanc, "[p]rivacy and innovation are not incompatible." (23) Because "[i]t is no longer enough to justify privacy invasions as technologically inevitable or as essential to the American economy," (24) California courts have a critical opportunity to proactively remedy the growing divide between reasonably sound consumer privacy policy and rapidly emerging technology endeavors. (25) Industry pushback and failure of the California legislature to pass a proper consumer privacy bill should not bring consumer privacy efforts to a grinding halt, especially when the state constitution has sufficiently teed up California courts to address the issue.

As such, this note will demonstrate why California courts are perfectly positioned to set the standard for pro-consumer, pro-privacy user agreements by holding Facebook's Terms of Service and Data Policy unconscionable due to the company's non-consensual deployment of facial recognition technology to collect its users' biometric data. (26)

Section II of this note will provide a brief technical overview of facial recognition technology and its associated privacy implications, as well as a background discussion on Facebook's current capabilities with facial recognition technology. Section III of this note will outline the doctrine of unconscionability under California law, examining the requisite elements and interplay between procedural and substantive unconscionability. This section will also include an analysis of how Facebook fails to explicitly mention and explain its biometric data collection practices in its ambiguous and overreaching Terms of Service and Data Policy, arguing that Facebook's nonconsensual collection of this sensitive data is unconscionable pursuant to California law. Finally, Section IV of this note will conclude with an explanation of why California courts are in the best position to set a standard for Terms of Service and Data Policy agreements that adequately protect consumer privacy without hindering private-sector technological innovation. Apart from discussing how and why courts should properly reach a finding of unconscionability with respect to Facebook's biometric data collection practices, this section will also propose two additional solutions, one under state constitutional law and one under state tort law, in an effort to demonstrate the many legal tools the California judiciary has at its disposal to safeguard sensitive consumer biometric data.

2. BACKGROUND: A BRIEF GUIDE TO FACIAL RECOGNITION TECHNOLOGY

   1. Facial Recognition Technology--A Brief, Technical Overview

      Facial recognition technology is most simply described as a biometric technology resource "which identifies individuals by measuring and analyzing their physiological or behavioral characteristics." (27) Designed to mimic and advance the human ability to recognize and identify faces, (28) computer facial recognition technology systems are capable of holding and analyzing an enormous amount of facial data imaging. (29) To illustrate this concept, while the human brain has a limited ability in the number of faces it can precisely recall, (30) a single server computer can search over 10 million records in less than 10 seconds. (31)

      The exact mechanics of a facial recognition technology system are far beyond the scope of this note. (32) However, a brief explanation of the fundamental technology is necessary in order to understand the legal argument asserted herein. Accordingly, "[t]here are generally four basic components to a facial recognition technology system: a camera to capture an image, an algorithm to create a faceprint (sometimes called a facial template), a database of stored images, and an algorithm to compare the captured...