By: Anamaria Pananas
Last year, Target was reported to lose $500 million from retail theft. This year, in an effort to increase surveillance at self-checkout machines, Target adopted a new technology called “TruScan”, which uses cameras to detect items and alert the customer of items that have not been scanned.
Self-checkout stations across the nation are getting upgraded to protect large retail corporations like Target from retail theft, but plaintiffs allege that these upgrades come with a cost to consumer privacy protection. Biometric data, such as fingerprints, facial geometry, hand scans, and voiceprints may all prove to be useful tools for combatting theft in retail stores. Self-checkout is particularly where a store may collect this data to combat theft through the improper scanning of items. In return, there is a clear tension between the interests of large retail companies using certain surveillance technologies to combat theft and the public interests protected by laws like Illinois’ BIPA.
Illinois’ BIPA prohibits private companies from collecting the biometric data of customers without following the act’s guidelines. The company must provide written documentation that explains what data is being collected, and why. The consumer must then give the company written consent for the company to continue its collection of biometric data.
On March 30th, 2024, plaintiffs filed a lawsuit against Target alleging that the company had violated BIPA. In the lawsuit, plaintiffs claim that a part of Target’s adoption of the new surveillance technology includes the collection of its customers’ facial recognition data, asserting three counts: 1) Violation of BIPA because there is no written policy regarding the collection/use of biometric data 2) Not obtaining written consent 3) Disclosing the data to third parties. The plaintiffs include Denise Arnold, Blaire Brown, and Sandre Wilson, who are all frequent Illinois Target shoppers. The complaint focuses on sources that highlight Target’s efforts to bolster surveillance systems, which plaintiffs claim most likely include facial recognition technology. Plaintiffs also cite news articles in their complaint that point to comments made by former Target employees. For example, a former employee warned viewers on TikTok that Target’s sophisticated surveillance includes facial recognition software that “can get a clear image of who you are.” The original three plaintiffs all rely on these third-hand accounts; however, Lindsay Schumm, a new plaintiff, claims that shortly after visiting an Illinois store, Target’s loss prevention team looked her up on LinkedIn. All plaintiffs allege that these sources allow for a “plausible inference” that Target is using facial recognition data.
The complaint notably stresses the uniqueness of biometric data. The objective of BIPA is to protect a type of data where the impacts on a person’s privacy are still unknown, especially unknown consequences. Since the data is biological, there is little a person can do if the data is compromised and they become victims of identity theft. This is why it is important that corporations follow the guidelines set forth in BIPA.
Target’s response asserts that these claims are baseless. Target filed a motion to dismiss in September, denying its use of facial recognition technology, and pivoting the issue to the plaintiffs’ lack of proof due to misleading information. Target attacks the plaintiffs’ sources, vehemently stating that there is a lack of “plausible inference” between these claims and their sources. For more background, TruScan, the technology that Target reportedly implemented earlier this year, would give shoppers audio and visual cues if they don’t scan an item. The report did not indicate that the system uses facial recognition technology to serve this purpose.
Despite Target’s consistent denial of the plaintiffs’ claims, distrust in the corporation’s privacy promises lingers and encourages beliefs that the corporation collects personal biometric data from customers who visit their stores in Illinois. Although the sources cited in the complaint are few, they were enough to ignite this anxiety. Sources like the TikTok created by a former Target employee may be assigned more probative value than they should. These media mechanisms are designed to kindle this type of reaction; these sources combined with facts of Target’s asset protection teams and sophisticated forensics lab provide enough ammo for the plaintiffs to argue that there is a plausible inference that facial recognition exists as part of Target’s security upgrade. Schumm has not provided proof of the use of facial recognition – and this is where it becomes unclear whether the law has kept up with the pace of the implementation of biometric collection systems by large corporations. To date, there lacks national protection for biometric data, so BIPA puts most of its trust in the corporation to follow the state’s law.
This is all to say, that some stores may start considering the implementation of facial recognition systems as part of their security upgrades. This is encouraging other states to follow in Illinois’ footsteps and implement biometric privacy acts of their own. The legislative intent of BIPA centers around the idea that the use of biometrics is “growing” and the public has become “weary”, no doubt encouraging the idea that this could become a problem if no protective measures are in place.
Will these measures be enough to deter large corporations like Target from collecting facial recognition data without a consumer’s consent? This lawsuit could be a step towards finding out. The future may face a weighing of interests which could challenge whether BIPA can endure the zealous interests of retail giants to combat retail theft.
The lawsuit is pending as the court has not ruled on Target’s motion to dismiss.
Student Bio: Anamaria Pananas is a second-year law student at Suffolk University Law School. She is a staff member for the Journal of High Technology Law. Anamaria received a Bachelor of Science degree in Media Science with a minor in Statistics from Boston University in 2023.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
Photo by: Helen H. Richardson, The Denver Post
