The latest question in privacy law is not what’s in a name (or IP address, PHI, TV viewing activity, etc.), but what’s on a face. Consumers are becoming increasingly concerned with how companies are using their biometric information such as facial, fingerprint, and iris information. In one closely watched case, photo sharing website Shutterfly faces allegations that it violated consumer privacy by collecting facial scans without consent.

Background

On September 18, a federal judge rejected Shutterfly’s attempt to dismiss a putative class action suit by arguing that an Illinois privacy statute does not apply to face geometry scans obtained from photographs. The motion also argued that the statute requires a showing of actual injury that was not met and that the plaintiff’s claims raised location issues- all three arguments were shot down.

The plaintiff had allegedly found his photo uploaded to the Shutterfly site and tagged with his name, despite never having used Shutterfly’s services. According to the lawsuit, Shutterfly then created a map of the plaintiff’s face and stored that data without informing the plaintiff or asking for his consent. Now, following Shutterfly’s unsuccessful motion to dismiss, the case moves forward in an Illinois federal court.

Illinois is home to the latest trending privacy acronym you need to know: BIPA. BIPA, or the Biometric Information Privacy Act of 2008, is considered to be the strictest biometrics law in the United States. BIPA requires companies collecting biometric data to obtain prior consent from consumers and disclose how the company will use it and how long they will store it, and it is the only state biometrics regulation that allows for private right of action against potential violators. BIPA makes Illinois one of the top battlegrounds as biometric technologies develop and privacy considerations become more complex.

What’s Next?

Companies considering the use of biometric technologies must be alert for a rise in class actions in this space. Biometric information is particularly sensitive because it involves something that is an actual part of an individual. Proactively complying with BIPA or similar standards can help organizations protect their business and keep up with technological developments while also protecting the customer and keeping regulators at bay.