By: Tayler Sherman

In July 2020, two Chicago residents, Steven Vance and Tim Janecyk, filed separate, but nearly identical, class-action lawsuits against Amazon and Microsoft claiming that the two tech giants violated Illinois’ Biometric Information Privacy Act (“BIPA”) by using geometric scans of their face without their permission. Vance and Janecyk claim that Amazon and Microsoft unlawfully collected and profited from their biometric data. The companies obtained the geometric scans from IBM’s Diversity in Faces database to improve their facial recognition technology. IBM’s data set was created for research purposes to “eradicate racial and gender bias in facial recognition.”

BIPA, passed in 2008, is an expansive state law that protects individuals from the unauthorized collection and use of biometric data. BIPA regulates an entities’ use of a consumer’s biometric information “regardless of how it is captured, converted, stored, or shared” to identify an individual. Pursuant to the statute, biometric data includes facial, hand, or finger recognition, retina or iris scan, or voiceprint. Certain data, such as writing samples, photographs, and any “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment or operations under [HIPAA]” is excluded from BIPA’s reach.

Private entities must comply with BIPA requirements however, governmental entities and agencies and financial institutions subject to Gramm-Leach-Bliley Act of 1999 are excluded. BIPA imposes five requirements businesses must comply with – covered entities must (1) provide a publicly available written retention and destruction policy relating to biometric data; (2) obtain informed consent to collect biometric data; (3) cannot sell, lease, trade, or otherwise profit from the data; (4) obtain consent for disclosure unless it is required for a specific purpose (pursuant to a valid warrant or subpoena or required by law); and (5) impose reasonable security standards to protect the sensitive information.

BIPA provides individuals with a private right of action. The private right of action allows an individual to bring a BIPA violation without showing an actual injury. In the 2019 Rosenbach v. Six Flags Entertainment decision, the Illinois Supreme Court concluded that an individual may bring suit even if “the only harm was a violation of their legal rights”, an individual does not need to demonstrate an adverse effect or specific harm. Although the statute went into effect in 2008, Illinois did not see a spike in BIPA class actions until the Rosenbach decision. A majority of cases post-Rosenbach were directed at employers implementing fingerprinting technology for security purposes. BIPA cases began to shift towards large tech companies and the recent $650 million settlement with Facebook will likely trigger similar suits.

On March 16, 2021, Judge Robart, a Washington federal judge, denied Amazon and Microsoft’s motions to dismiss. Judge Robart rejected Amazon and Microsoft’s arguments that facial scans derived from photographs do not qualify as biometric data pursuant to BIPA. The judge, consistent with other federal courts, held that BIPA extends to such data because the specific physical component, the facial scan, is at issue, not the medium used to obtain the data. Judge Robart also found that the defendants failed to provide any support that scans taken from photographs could not be biometric data themselves.

Amazon and Microsoft also sought dismissal on grounds that BIPA only applies to conduct inside of Illinois, not outside of the state. The court denied the territorial argument reasoning that it was too early in litigation to warrant dismissal on such grounds and noted discovery is needed to determine “the extent to which the alleged misconduct occurred in Illinois.”

The parties are required to submit an additional briefing relating to two issues – (1) the meaning of BIPA’s “otherwise profit from” provision, and (2) the conflicting unjust enrichment claim between Washington state and Illinois state law.

Biometric technology continues to magnify, as people use biometrics daily to gain access to cellphones and computers. There are grave consequences when an individual’s biometric data is compromised compared to the misuse of other personal information such as a credit card or bank account number. Misuse of biometric data is more severe because, unlike a credit card number which can easily be reordered and changed, a person’s face and fingerprints are unique and unchangeable. Currently only three states, Illinois, Texas, and Washington, have active biometric laws, with Illinois being the only state providing a private right of action. However, New York and Maryland are set to pass state legislation soon with additional states likely to follow the trend.

Student Bio: Tayler Sherman is a third-year law student at Suffolk University Law School and serves as a Staff Member on the Journal of High Technology Law. Tayler holds a Bachelor of Science in Criminal Justice from Endicott College.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.