Biometrics are unique physical characteristics that can be used for automated identification of a person. Even though individuals may not know the exact term “biometrics,” millions of individuals use some form of it in their everyday life. For example, smartphones and third-party applications often use fingerprint scans or facial recognition, two forms of biometrics, as an option to unlock a smartphone or to log into an account. Biometrics have been lauded by big tech as a more secure option than traditional passwords because unique characteristics make it harder for an unauthorized person to gain access to a user’s smartphone or account.
But there is a dark side to the use of biometrics. Recently, technology companies have been gathering individuals’ biometric data without their consent to make a profit. Biometric data is highly valuable, as retailers can use this data to monitor customers in brick-and-mortar stores to learn their shopping habits and create personalized advertisements. Employers can equally use biometric data to keep track of their employees throughout the workday (e.g., requiring them to clock in and out of shifts using their fingerprint). The full repercussions of collecting biometric data, especially without consent, are still unknown as companies continue to find new uses for this unique data.
It’s relatively easy for a company to gain access to an individual’s biometric data. Technology companies can take images of a person’s face and convert it into data that can be recognized by computers. For example, you could simply post a picture of yourself on a social media site, or be seen by a camera while walking down the street, and the image of your face can be converted into computer code called a “faceprint.” This faceprint can then be compared to millions of other faceprints in a corporate or government database to identify you.
Unfortunately, only residents of the state of Illinois have the right to sue companies that are collecting their biometric information without their permission. The Illinois Biometric Information Privacy Act (“BIPA”) was passed by the Illinois General Assembly on October 3, 2008. Codified as 740 ILCS/14 and Public Act 095-994, BIPA guards against the unlawful collection and storing of biometric information. Washington and Texas have since passed similar laws; however, the Illinois BIPA remains the only law that allows private individuals to file a lawsuit for a violation of the statute. Recently, Florida and Massachusetts have also proposed biometric privacy laws that provide for a private right of action.
BIPA imposes requirements on businesses that collect or otherwise obtain biometric information. Examples of biometric information include, but are not limited to fingerprint, facial recognition, DNA, palm print, hand geometry, iris recognition, retina recognition and odor/scent recognition. In recent times, biometrics based on brain (electroencephalogram) and heart (electrocardiogram) signals have also emerged. A research group at University of Kent has shown that people have certain distinct brain and heart patterns that are specific for each individual. New technology can also analyze physiological features such as eye movement, body temperature, breathing etc. and can even predict dangerous behavior before it is carried out. Another example of a new biometric is finger vein recognition, which uses pattern-recognition techniques based on images of human vascular patterns.
BIPA requires companies doing business in Illinois to comply with a number of regulations pertaining to the collection and storage of biometric information. These include a requirement that companies:
- Obtain consent from individuals if the company intends to collect or disclose their personal biometric identifiers;
- Provide written notice of the specific purpose and length of time for which that biometric information will be used and stored;
- Securely store biometric identifiers;
- Retain the biometric information for the lesser of either the fulfillment of the purpose or three years after last contact with the individual, whichever is earlier; and
- If the scope of the purpose is too narrow at the outset for a later use, the business must obtain additional consent prior to undertaking the additional use.
The Act includes statutory damages of $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. A plaintiff is entitled to recover their actual damages if they are greater than the statutory amount.
In January 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags (discussed below), that a person who is “aggrieved” by a violation of BIPA need not allege an actual injury or harm beyond a procedural violation to have standing to bring an action under BIPA. With this ruling, the Illinois Supreme Court opened the way for new actions and laid the basis for the Ninth Circuit ruling in In re Facebook Biometric Info. Privacy Litig., finding that plaintiffs do not need to prove they were harmed in any concrete way, such as by having their identity stolen due to a data breach, to bring a suit under BIPA.
While some federal courts have dismissed BIPA claims for lack of subject matter jurisdiction due to, for example, “insufficient risk of future harm” (such as a heightened risk of identity theft), as discussed below the Illinois Supreme Court and the Ninth Circuit have held that a plaintiff has standing to sue under BIPA.
- State Court
- Rosenbach v. Six Flags Entm’t Corp.
The Illinois Supreme Court found in Rosenbach v. Six Flags that a Six Flags season pass holder can claim that her son’s thumbprint was illegally collected without consent, even without alleging a separate concrete injury.
Rosenbach alleged that Six Flags never informed her that they required her son’s fingerprint when she bought the pass. She also alleged that they never provided her with a policy detailing how they would use or store the information.
The Illinois Court of Appeals had held that a mere statutory violation of BIPA was insufficient to maintain an action, because it did not necessarily mean a party was “aggrieved,” as required by the statute. This was reversed by the Illinois Supreme Court which ruled that Rosenbach did not need to prove actual harm (e.g., identity fraud) in order to sustain a cause of action, defendant’s violation of BIPA was sufficient.
- Federal Court
- In re Facebook Biometric Info. Privacy Litig.
First filed in Cook County Circuit Court, Illinois Facebook users alleged that the social media platform violated BIPA when it scanned images of their faces, without consent, in order to run its Tag Suggestions feature. After Facebook removed the action to federal court, the U.S. Ninth Circuit Court of Appeals in California rejected Facebook’s argument that the plaintiffs’ lacked a concrete injury.
The Ninth Circuit ruled that the plaintiffs had demonstrated Article III standing because Facebook’s alleged development and use of facial recognition technology in violation of BIPA constituted an invasion of the concrete privacy interests that the statute is designed to protect. The court relied on the Illinois legislature’s finding that since biometric information cannot be changed, it presents heightened risks associated with identity theft. The U.S. Supreme Court declined to hear Facebook’s appeal of the decision to certify the class.
- Rivera v. Google
Google users sued the company for violating BIPA, alleging that it created and stored scans of users’ faces on its Google Photos service, without user consent. On December 29, 2018 Judge Edmond E. Chang of the Northern District of Illinois dismissed the lawsuit for lack of standing. Judge Chang wrote, “[w]ith neither a legislative judgment nor a common law analogue (or anything else) to support a finding of concrete injury, the court concludes that plaintiffs have not demonstrated an injury-in-fact sufficient to confer Article III standing,”
- Clearview AI
BIPA cases have been filed against Clearview AI (“Clearview”) in the Northern District of Illinois and the Southern District of New York. The first case filed was Mutnick v Clearview AI, Inc. et al. in the Northern District of Illinois.
The lawsuits allege that Clearview violated BIPA by “scraping” Illinois residents’ biometric data from photos posted on social media websites without their permission. Clearview is accused of offering its faceprint database to private companies, police, federal agencies, and wealthy individuals.
Clearview filed a motion to stay the proceedings in Mutnick pending decisions on its motion to dismiss based on personal jurisdiction. Clearview’s motion also requests to move Mutnick to the Southern District of New York, where Clearview is based. In New York, Chief Judge Colleen McMahon said that because the suit applies an Illinois state law and includes class members based on their Illinois residence at the time of the alleged violation, it is not clear that the cases belong in New York district court. Illinois Judge Sharon Johnson Coleman said that she will continue to work on pending motions in the case even as the company tries to move Illinois litigation to the Southern District of New York.
Mutnick requested to intervene in the pending New York suits and urged the court to transfer them to the Northern District of Illinois.
Hopefully more states follow Illinois’ lead and enact biometric privacy laws that empower individuals protect their biometric identifiers by taking action against those who fail to obtain consent to adequately safeguard that sensitive information.