Would the California Consumer Privacy Act Have Protected Us From FaceApp?
The privacy scandal du jour revolves around FaceApp, an app for iOS and Android that allows users to automatically digitally alter their photographs to look older, younger, change hairstyles, facial hair, glasses, or more. In order to make FaceApp work, users had to grant the app access to their photos, either from their devices’ camera roll or social media account. Then the magic happens, multiplied by the 100 million or so people who have downloaded the app so far.
![](https://i2.wp.com/www.californiadataprivacy.com/wp-content/uploads/2019/07/IMG_1760.jpg?fit=640%2C853&ssl=1)
However, recent examinations into FaceApp’s policies raise new and troubling questions about what FaceApp can and will do with our photos, and whether there’s anything we can do to stop them. Well, these questions may be troubling but they aren’t new: FaceApp first went viral back in 2017, before the Internet forgot it exists just like everything else.
This most recent freakout comes amid the realization that FaceApp is owned by a Russian company and that their terms of use essentially grant FaceApp the right to access and use our photos, as well as the “perpetual, irrevocable” right to use any photos that they processed for us. This, paired with the fact that FaceApp uploads the photos being processed to their server, sparked fear and outrage just as quickly as the old-age photos dominated social media.
Here’s the language in question:
You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you. When you post or otherwise share User Content on or through our Services, you understand that your User Content and any associated information (such as your [username], location or profile photo) will be visible to the public.
Initial reports that the sky was falling seem to be a bit overstated, as it seems, at least for now, that our worst fears are not being realized. According to Will Strafach, FaceApp only uploads the photo it is processing, not our entire camera roll. According to Forbes, FaceApp’s founder says that the image processing occurs in the cloud for efficiency purposes but that “[m]ost images are deleted from our servers within 48 hours from the upload date.” Still, even if we take FaceApp at its word, this should be a lesson about the perverse and often baffling world of “free” online tools, such as we discussed in the Cambridge Analytica matter.
Luckily for the privacy-minded, here in California we have something called the California Consumer Privacy Act. But would the CCPA have stopped FaceApp from doing what it did?
In short, yes…and no. Let’s run through the basic elements.
Is FaceApp Covered by the CCPA?
Yes. Even without considering the amount of FaceApp’s revenue or the source of its revenue, a for-profit company is subject to the CCPA if it “[a]lone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” FaceApp clearly meets that standard, depending on the answer to the next question:
Are Faces Considered “Personal Information” Protected by the CCPA?
Yes. The CCPA protects “personal information,” which includes “biometric information.” Biometric information is defined as:
an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
Clearly, even without considering what other information FaceApp collects or stores, faces are covered.
Is FaceApp’s Privacy Notice Adequate?
![](https://i0.wp.com/www.californiadataprivacy.com/wp-content/uploads/2019/07/UNADJUSTEDNONRAW_thumb_2bd2-e1563523841998-222x300.jpg?resize=222%2C300&ssl=1)
The answer to this question lies in the interaction between FaceApp’s terms and its privacy policy. While the terms, as quoted above, give FaceApp the right to do basically whatever it wants with our photos, the privacy policy is pretty comprehensive. Also, I’m not sure how new this is, but now FaceApp makes you affirmatively consent to upload your photos to a server for processing (see screenshot to the right). This is a positive step toward transparency, as many people presumably may have believed that the image processing was occurring on their phones without uploading to a server.
Still though, is the privacy policy good enough? I don’t think so. In order to comply with the CCPA, FaceApp would need to clearly disclose to its users that it plans to sell their processed photographs, and give users the right to opt out. That does not seem to be the case here. Also, due to the non-discrimination portion of the CCPA, FaceApp would need to allow people to use the app functions even if they opt out (although, perhaps, FaceApp could allow access to its “Pro” features to users who consent to the same of their photos. This aspect of the CCPA needs further fleshing out).
Further, FaceApp would also need to set up automated processes for users to protect themselves, including a Do Not Sell My Personal Information button and a mechanism for consumers to request what personal information FaceApp has on them. To FaceApp’s credit, the founder says they’re willing to delete uploaded photos if people ask:
He said that users can also request that all user data be deleted. And users can do this by going to settings, then support and opt to report a bug, using the word “privacy” in the subject line message. Goncahrov said this should help speed up the process.
And he added: “We don’t sell or share any user data with any third parties.”
https://www.forbes.com/sites/thomasbrewster/2019/07/17/faceapp-is-the-russian-face-aging-app-a-danger-to-your-privacy/#7d15bd692755
Under the CCPA, FaceApp would need to set up “two or more designated methods for submitting requests for information,” including a toll-free phone number and a website, and would have to comply with the deadlines set forth in the CCPA.
So, What Would Have Happened Under the CCPA?
If the CCPA had been in effect during this most recent surge in FaceApp’s popularity (assuming FaceApp’s compliance), a lot of the concerns would have addressed. Instead of simply relying on FaceApp’s word that they are not selling our photos, we would know for sure. Users clicking through the Terms of Use and Privacy Policy would have had the opportunity to opt out of the sale of their data, and users would have an automated way to request their FaceApp data and request deletion, instead of FaceApp retroactively granting these requests after the public blowback.
All in all, it’s good that we received this harsh of a lesson from a company that, it seems, is acting in good faith. This will not always be the case. In other words, if you’re wondering why privacy advocates thought California needed such a law, here’s Exhibit A.
- When Do Vendors Count as Service Providers Under the California Consumer Privacy Act? - August 26, 2019
- How Could the Ninth Circuit’s Decision in a Facebook Facial Recognition Lawsuit Affect California? - August 9, 2019
- Will the California Consumer Privacy Act Force Businesses to Disclose Marketing Secrets? - July 31, 2019