The Illinois Biometric Information Privacy Act (IBIPA) covers face geometry scans that are created from digital images, according to a preliminary ruling last month in a lawsuit against Google. Rivera v. Google Inc., No. 16 C 02714 (N.D. Ill. February 27, 2017). The suit seeks monetary compensation for individuals identified by face recognition technology in photos uploaded to the “Google Photo” service. The ruling rejected Google’s argument that the IBIPA should only cover facial scans that are made in person and potentially subjects Google and other providers of widely used facial recognition technology to significantly expanded privacy requirements in Illinois to protect biometric privacy of individuals whose faces are in the tech companies’ databases.
Two individuals sued Google, seeking class action status and claiming that Google violated the IBIPA when, without their consent, Google’s software obtained facial geometry for their faces from photos that were uploaded to Google Photo. Google Photo is a cloud based offering of Google that, among other things, uses facial recognition technology to assist users in organizing and retrieving their photos. The IBIPA requires anyone who collects and stores certain “biometric identifiers” such as “face geometry” to first obtain the person’s consent and also requires a written policy for retention and eventual destruction of those identifiers. The statute provides for damages of $1,000 for each negligent violation and $5,000 for each intentional violation.
In seeking to have the suit dismissed before proceedings begin, Google argued that language in the statute excluding photographs from some parts of the IBIPA should be applied to interpret the statute’s definition of “biometric identifiers” that are covered by the statute to mean that only in-person scans are covered. The statute defines “biometric identifier” as, “a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.” The Court, in a detailed 30-page ruling carefully analyzing the text of the statute and the legislative history, concluded that despite “photograph” being expressly excluded from a different definition in the statute, the Illinois legislature did not intend to distinguish between in person and virtual scans in the definition of “biometric identifier.” As a result, it interprets “biometric identifier” to include face geometry extracted from Google Photo images.
If this interpretation ultimately prevails, it would have a significant impact, at least in Illinois, on the privacy compliance requirements for a broad and growing category of technology products. In addition to Google, a great many photo sharing and social media product providers use similar facial recognition technology to identify people, to organize photos and to add features and images to photos. The IBIPA would require all the entities providing these functions to specifically inform their users about the collection of face geometry and to publish a retention schedule, detailing how the data will be kept and when it will be deleted.
The impact of this Illinois statute on the rest of the country remains a contested issues. In its ruling, the court concluded that at this early stage of the lawsuit there was sufficient indication that the statute was violated in Illinois so that, unless contrary evidence was introduced, it would apply in this case. That, however, was based on the assertion that the pictures were taken and uploaded in Illinois, and without an analysis of where the facial geometry was extracted or stored. The court put aside to a later stage of the litigation the federal constitutional questions about whether this Illinois statute could govern Google’s (and other internet providers’) actions across the United States.