Mirror, Mirror on the Wall: Scan Your Face Here
by Bonnie Knodell & Jerry Glover
June 15, 2017
In 2008, the Illinois legislature enacted the Biometric Information Protection Act (“BIPA”), which forbids private entities from collecting and storing a person’s biometric information and biometric identifier without a person’s consent. 740 ILCS 14/15(b)(3). The BIPA defines a biometric identifier as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and biometric information as “any information…based on an individual’s biometric identifier used to identify an individual”. 740 ILCS 14/10. Additionally, a private entity that does hold and collect biometric identifiers or biometric information must provide a publicly available written policy that establishes how the information will be held and guidelines for when it will be destroyed. 740 ILCS 14/15(a).
Even though the BIPA was passed nearly a decade ago, there has been a surprising lack of litigation addressing this issue until very recently. Three cases in 2016 looked at this law.
Surprisingly, a federal district court in California was one of the first to look at the Illinois BIPA. In Re Facebook, 185 F.Supp.3d 1155 (N.D. Cal. 2016). The plaintiffs alleged that Facebook had violated Illinois’ BIPA with the use of its Tag Suggestions program. The Tag Suggestions program scans photos that are uploaded to Facebook and identifies the faces in them. If any of the faces are recognized, Facebook suggests tagging the person in the photo. The plaintiffs claimed that Facebook collected and stored their biometric information secretly and without their consent. The plaintiffs were from Illinois but Facebook is located in California, so the court had to decide which state’s law would apply. Facebook has a choice-of-law provision in its website user terms that designates California as the jurisdiction for all lawsuits brought against it. However, the court decided that Facebook’s choice-of-law provision was ineffective because California does not have a law protecting biometric information, which is contrary to Illinois’s policy of protecting its citizens’ right to privacy regarding their biometric information and therefore Illinois has a greater interest in the outcome of the case.
In its motion to dismiss, Facebook argued that biometric information gathered from photographs is not subject to BIPA because the BIPA only applies to in-person scans. However, the court reasoned that the BIPA’s broad purpose is to protect privacy and the specific requirement of an in-person scan is not supported by this purpose. Thus, photographs are subject to the BIPA and the motion to dismiss was denied.
In an Illinois case, L.A. Tan settled a class action suit for $1.5 million in Sekura v. L.A. Tan Enterprises, Inc., Case No. 15 CH 16694 (Cir. Ct. Cook Cnty.). L.A. Tan collected customer fingerprint scans to use in place of key fobs to provide members with access to tanning salons. Plaintiffs alleged that the tanning chain violated the Illinois BIPA by failing to obtain written consent for the collection of the fingerprint scans and failing to disclose plans for storing or destroying a customer’s biometric information in the event of membership termination. In addition to the cash settlement, L.A. Tan also agreed to establish methods for complying with the Illinois BIPA.
Two cases have been decided in 2017. As we discussed in an earlier post here, a New York federal court heard a BIPA case in January. In Vigil v. Take-Two, 2017 WL 398404, (S.D.N.Y. 2017), the court found that when biometric identifiers are used as both parties intended, there is no violation of the Illinois BIPA. The case was dismissed because the plaintiffs knew how their biometric identifiers would be used and did not suffer abuse of their biometric information due to any BIPA violations.
Shortly after the dismissal of Vigil, an Illinois federal district court decided that Google may be violating the BIPA when it uses photographs taken with an Android phone to collect biometric data. Rivera v. Google, 2017 WL 748590, (N.D. Ill. 2017). With its “Google Photos” application, Google automatically uploads and scans photographs taken with an Android phone to create face templates. These face-templates are then used to group photos of people together without their knowledge or consent. In its motion to dismiss, Google argued that the BIPA does not cover photographs or information gathered from photographs. The court rejected this argument by clarifying that a biometric identifier is not the source of the measurements of a physical component, but the measurements themselves. The motion to dismiss was denied.
Earlier this year a class action was filed against Roundy’s Supermarket alleging a violation of the Illinois BIPA. Roundy’s requires employees to use their fingerprint scans to clock in and out of work. Plaintiffs allege that Roundy’s violated the BIPA by failing to obtain written consent and failing to publicly disclose a procedure for storing and destroying biometric information. The litigation is ongoing.
Advances in technology that utilizes biometric data have created a demand for protections given by the Illinois BIPA. Until recently, Texas was the only other state to have similar legislation (Texas. Bus. & Com. Code Ann. § 503.001). In April, Washington state also passed a law that aims to protect a person’s privacy rights regarding their biometric information. Alaska, Connecticut, Montana, and New Hampshire are currently in the process of enacting similar statutes that protect biometric information.