We’ve closely followed the numerous biometric privacy disputes and legislative developments surrounding the Illinois Biometric Information Privacy Act (BIPA), which precludes the unauthorized collection and storing of some types of biometric data. In the latest ruling, an Illinois district court refused to dismiss a putative class action alleging that the cloud-based Google Photos service violated BIPA by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. Feb. 27, 2017)).
This is the third instance where a district court refused, at an early stage of a litigation, to dismiss BIPA claims relating to the online collection of facial templates for photo-tagging purposes. Unlike those prior courts’ relatively cursory interpretations, however, the Rivera court’s expansive 30-page opinion is the deepest dive yet into the statutory scheme (and purported vagaries) of the Illinois statute. The decision is the latest must-read for mobile or online services that collect and store biometric data from users as to what extent their activities might fall under the Illinois biometric privacy statute. It may well turn out that the plaintiffs’ claims in Rivera (as well as the ongoing biometric privacy litigation going on in California) may prove unsuccessful on procedural or statutory grounds, yet, these initial takes on the scope of BIPA stress the importance of examining current practices and rollouts of new services that feature biometrics.
The plaintiffs in Rivera claimed that Google’s creation of faceprints in Google Photos and subsequent storage of “biometric identifiers” was performed without consent in violation of BIPA. The plaintiffs also alleged that Google did not make publicly available a biometric data retention and destruction schedule as required by the Act. In response, Google filed a motion to dismiss, principally arguing that BIPA only covers in-person scans of facial geometry and does not cover photographs or information derived from photographs. In addition, among other contentions, Google advanced a jurisdictional argument that BIPA does not regulate behavior outside of Illinois and that the creation and storage of facial scans in its cloud-based service did not occur “primarily and substantially” in the forum. The court denied the motion.
The Illinois statute, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.
The relevant definitions are as follows:
“Biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs….
“Biometric information” means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.
In the court’s thinking, the definition of biometric identifier is “simply a list of specified things that does not distinguish the manner in which the identifier is generated,” and “biometric information” is simply a qualifier that ensures that “private entities cannot do an end-around [BIPA] by converting biometric identifiers into some other format.”
In denying the motion, the court rejected Google’s argument that face-scan measurements derived from a photograph do not qualify as biometric identifiers, holding that “nothing in the text of [BIPA] directly supports this interpretation.”
The court states this proposition in several passages in its decision:
“Nothing in the statute says, one way or the other, how the biometric measurements must be obtained (or stored, for that matter) in order to meet the definition of ‘biometric identifier.’ The definition simply lists the specific identifiers that are covered. And the particular biometric identifiers can, in fact, be collected in various ways without altering the fact that the measurements still are biometric identifiers.”
“Indeed, because advances in technology are what drove the Illinois legislature to enact [BIPA] in the first place, it is unlikely that the statute sought to limit the definition of biometric identifier by limiting how the measurements are taken. Who knows how iris scans, retina scans, fingerprints, voiceprints, and scans of faces and hands will be taken in the future? It is not the how that is important to the Privacy Act; what’s important is the potential intrusion on privacy posed by the unrestricted gathering of biometric information. The bottom line is that a ‘biometric identifier’ is not the underlying medium itself, or a way of taking measurements, but instead is a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person.” [emphasis added]
The court noted that the plaintiffs are not claiming that the photographs themselves were biometric identifiers, rather the faceprints captured from them. In fact, the court commented that had Google “simply captured and stored the photographs and did not measure and generate scans of face geometry, then there would be no violation of the Act.”
Still, while ruling that the plaintiffs adequately stated a claim under BIPA at this early stage, the court remarked that Google might eventually prevail on its argument that the statute does not cover what Google collects from user photos once the factual record is further developed in discovery.
Secondary Argument: Extraterritorial Effect
In addition to its statutory-based arguments, Google contended that its photo tagging activities occurred outside of Illinois and therefore fell beyond the reach of BIPA – that is, the plaintiffs’ claims were an extraterritorial (and therefore non-actionable) application of BIPA. While the court held that BIPA does not have extraterritorial effect outside Illinois, and any asserted violations must take place in Illinois to be actionable, the court concluded that discovery was required to determine the locations of any alleged violations as a matter of law. Illinois law applies a “totality of the circumstances” test to determine whether a transaction occurs within the state, and the court noted that given the novel technology at issue in this dispute, there was little guidance concerning such cloud-based transactions of this type. While the plaintiffs alleged that they were Illinois residents and the injury involved photos automatically uploaded in Illinois from an Illinois-based IP address, Google countered that the plaintiffs failed to pinpoint where any supposed lack of consent occurred or a location for the actual scanning of face geometry (which in Google’s thinking, would be the determinative “situs” of the alleged BIPA violation). While the court left the issue for another day, it stated that even if it could definitely determine that the actual facial scanning took place outside of Illinois, that fact “would not necessarily be dispositive.”