A federal appeals court has given Facebook users the nod to sue the social media giant for violating their privacy rights by using facial recognition technology without their consent.

The Ninth Circuit Court of Appeals upheld a lower court’s ruling that Facebook users in Illinois could bring a class action suit against Facebook under the Illinois Biometric Information Privacy Act (BIPA), which requires organizations to obtain user permission to collect and store biometric information.

The court found that the plaintiffs’ privacy had been violated, warranting the suit. Writing the opinion in the Patel v. Facebook ruling, Judge Ikuta said the court “concludes that the development of a face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests.”

Noting “the facial-recognition technology at issue here can obtain information that is ‘detailed, encyclopedic, and effortlessly compiled,’” Ikuta wrote that “would be almost impossible without” it.

“This decision is a strong recognition of the dangers of unfettered use of face surveillance technology,” Nathan Freed Wessler, staff attorney with the ACLU Speech, Privacy, and Technology Project, said in a release. “The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people’s privacy and safety.”

BIPA has given privacy protections some teeth. Its “innovative protections for biometric information are now enforceable in federal court,” Rebecca Glenberg, senior staff attorney at the ACLU of Illinois, said. “If a corporation violates a statute by taking your personal information without your consent, you do not have to wait until your data is stolen or misused to go to court. As our General Assembly understood when it enacted BIPA, a strong enforcement mechanism is crucial to hold companies accountable when they violate our privacy laws. Corporations that misuse Illinoisans sensitive biometric data now do so at their own peril.”