Recently, artificial intelligence-powered FaceApp has gone viral over its ability to make someone look older in an uploaded photo. Although selfie enthusiasts were humored by the results, privacy advocates were alarmed by the app's ties to Russia and allegations the app can upload a device's entire photo library to the cloud.

In a statement, FaceApp denied its app uploads a user's photo library to its cloud storage. But that hasn't cooled privacy concerns around FaceApp and other similar apps.

Companies like FaceApp that access, process or store user photos do not operate in a legal vacuum. Many have to contend with the EU's General Data Protection Regulation (GDPR), U.S. states' privacy and biometric laws, and even potential plaintiffs examining if their practices match their privacy policies. 

Jackson Lewis principal Joseph Lazzarotti, who spoke generally about website privacy policies, noted the GDPR defines a picture of someone as personal information, requiring specific consent to collect and process, among other requirements. 

In the U.S., however, most states' data breach notification laws don't include a photo in the definition of personal information. Lazzarotti said if a breached photo contains metadata that includes a username and password, that data would fall under some of these states' laws. Specifically, if personal data meets a state's “significant risk of harm” threshold, notification of the breach is required.

L.A.-based Jeffer Mangels Butler & Mitchell partner Bob Braun also noted the California Consumer Privacy Act (CCPA) and Illinois' biometric laws define photos as biometric data, placing some photo-collecting companies under the direct watch of the California and Illinois state attorney general.

“I think what you have to look for is the biometric laws that protect and govern biometric data,” he said. “The new breed of privacy laws in particular, like the California act and the New York act, very typically impact [biometric data rights].”

Meanwhile, absent a U.S. federal data privacy law, a photo-collecting company could also have “potential exposure” if the Federal Trade Commission (FTC) or state attorney general finds the company's privacy notice doesn't match its actual procedures, Lazzarotti said. If a company's data privacy policy and safeguards aren't being practiced, “there is an argument that's a deceptive act,” Lazzarotti said.

“It seems to me companies in general need to pay attention to their privacy notices on their websites,” he cautioned. “They need to make sure of what exactly they are saying to customers about their practices.”

A breach connected to a company with discrepancies in its policy notices and actual practices could also face claims from plaintiff attorneys, Braun added.

Braun said it's likely a plaintiff attorney would make a claim under a state's privacy law or file a claim for gross negligence, arguing the company's privacy notice discrepancies was an unfair trade practice or an unfair advertising claim.