A proposed class action lawsuit against Meta Platforms, the parent company of Facebook and Messenger, will proceed in Illinois state courts, after a federal judge rejected Meta’s attempt to move the case to California. The suit centers on allegations that Meta violated the Illinois Biometric Information Privacy Act (BIPA) through its collection and use of facial recognition data via Messenger’s filters.
U.S. District Judge Nancy J. Rosenstengel ruled on February 20, 2026, that despite a clause in Meta’s terms of service stipulating California law governs disputes, enforcing that provision would conflict with fundamental Illinois policy. The judge also determined that Illinois has a greater interest in the case than California, effectively allowing the plaintiffs to pursue their claims under BIPA. This ruling marks a significant win for privacy advocates and could set a precedent for similar biometric data lawsuits.
The core of the dispute lies in how Meta handles biometric data collected when users utilize features like filters on Facebook Messenger. Plaintiffs allege that Meta collected and stored their “face geometries” without proper consent, as required by BIPA. Illinois’ BIPA is one of the strictest biometric privacy laws in the United States, giving individuals the right to control how their biometric data is collected, used, and stored. Violations can result in significant financial penalties.
Illinois BIPA: A Strict Standard for Biometric Data
Enacted in 2008, the Illinois Biometric Information Privacy Act (BIPA) regulates the collection, use, and storage of biometric identifiers, such as fingerprints, voiceprints, and facial scans. The law requires companies to obtain informed written consent before collecting biometric data, to inform individuals about how their data will be used, and to implement reasonable security measures to protect the data. Unlike many other states, BIPA provides a private right of action, allowing individuals to sue companies for violations. The full text of the Illinois Biometric Information Privacy Act can be found here.
Meta argued that the case should be heard in California, citing the dispute resolution clause in its terms of service. However, Judge Rosenstengel found that enforcing this clause would undermine Illinois’ strong public policy regarding biometric privacy. The judge reasoned that Illinois has a substantial interest in protecting its residents’ biometric information, and that interest outweighs Meta’s contractual preference for California law.
This isn’t the first legal challenge Meta has faced regarding its biometric data practices. In April 2025, Meta won the right to challenge a separate voice privacy lawsuit in Illinois, according to IDTechWire. That case, Delgado v. Meta Platforms, Inc., also centers on allegations that Meta harvested and stored voice data without proper consent. Meta also filed a reply in support of a judgment against claims that it violated Illinois BIPA through the collection of “face geometries” when users employed Messenger filters, as reported by MLex in September 2025. The company maintains that its terms of service allow for dispute resolution in California.
Implications for Meta and Biometric Privacy
The ruling in Hartman et al v. Meta Platforms, Inc. (Case No. 3:2023cv02995 in the Southern District of Illinois) – detailed in court document 42 – could have broader implications for Meta and other tech companies that collect biometric data. It reinforces the idea that state biometric privacy laws can override contractual agreements to resolve disputes elsewhere.
As ASW Law points out, Meta’s business model relies heavily on user data, including biometric information, to optimize advertising and generate revenue. The firm also highlights the security risks associated with storing vast amounts of sensitive biometric data, noting that Meta itself has acknowledged its inability to track every data breach. This vulnerability underscores the need for stronger data protection measures and greater user control over their biometric information.
The outcome of this case could influence how other courts interpret similar disputes involving biometric data and state privacy laws. It also highlights the growing legal scrutiny of tech companies’ data collection practices and the increasing importance of protecting individuals’ biometric privacy rights. The case is ongoing, and further developments are expected as it proceeds through the Illinois court system.
What comes next will depend on the progression of the class action lawsuit. The court will likely address issues of class certification and the scope of damages. This case, and others like it, will continue to shape the legal landscape surrounding biometric data privacy in the United States.
Have your say: What impact do you suppose this ruling will have on the future of biometric data privacy?
