If you've ever been tagged in a photo online, you might have some cash coming your way — and soon.
Earlier this month, more than 1.4 million long- and short-term residents of Illinois started receiving checks for up to $397, as compensation for a $650 million class action lawsuit settled against Facebook. According to plaintiffs, the social media platform illegally used facial recognition data — gathered without consent — to prompt users to tag their friends in photos.
Experts say that's only the beginning: More checks from privacy lawsuits are likely on the horizon. Google Photos and Shutterfly incurred similar class action lawsuits in Illinois, and have entered approval stages of multimillion-dollar settlements within the past year. In January, sandwich chain Pret A Manger settled a lawsuit — for $677,000 — alleging that it kept records of its employees' fingerprints from its time-keeping system, which is also illegal under Illinois' 2008 biometric privacy law.
The Illinois law is one of the strictest in the country. Similar laws also exist in Texas and Washington, and are set to go into effect next year in California, Colorado and Virginia. The spread of such legislation may be timely: According to attorney Paul Geller of Robbins Geller Rudman and Dowd LLP, one of three firms that settled the case against Facebook, the checks aren't nearly as eye-opening as the data privacy violations themselves.
"Technology is great, but with things like facial recognition, there's a dark side to it," Geller tells CNBC Make It. "People don't realize that we are being surveilled more than we know."
Being auto-tagged in photos may not seem like a huge deal, but once tagged, your face can become available to companies outside your photo platform's walls. New York-based software company Clearview AI, for example, somewhat infamously claims to have scraped more than 20 billion images from websites like Facebook, YouTube and Venmo for a massive facial recognition database available to paying companies.
"As we walk down the street, everyone can see our face, but only some people can link our face to our name," says Matthew Kugler, a privacy law professor at Northwestern University.
The technological ability to instantly link someone's face to their personal information, Kugler says, could make it easier for people to harass their local Starbucks barista or jeopardize the lives and safety of domestic violence victims, sex workers or those in witness protection programs.
In 2019, Kugler published research showing that Americans aren't interested in being surveilled on that level: More than 70% of participants said they were uncomfortable with companies using facial recognition to track people's locations and serve targeted ads. Interestingly, most participants didn't express concern over workplace fingerprint scans.
"It isn't that people value or don't value biometric privacy – it's that what it means to value privacy varies a lot from context to context," Kugler says. "The same underlying technology might enable both the innocuous uses and terrifying results."
The lawsuits and settlements are already making an impact. Earlier this month, Clearview AI agreed to halt access to its facial recognition databases to several companies in the U.S., shifting a majority of its services to solely law enforcement as a part of a recent settlement. Facebook and Instagram users in Illinois and Texas can't access "face filter" services anymore.
For now, Kugler says, national legislation is probably a long way off — but you can expect more state-by-state lawsuits and settlements in the years to come.
"For national legislation, it's going to be quite a while before there's any consensus," he says. "But from my understanding, a lot of similar lawsuits and settlements are likely going to follow now that people know you can make money on it."
Facebook, Google, Shutterfly, Pret A Manger and Clearview AI did not immediately respond to CNBC Make It's request for comment.
Sign up now: Get smarter about your money and career with our weekly newsletter