This month, in one of the many recently-filed Illinois biometric privacy suits, a class action complaint alleging violations of Illinois’s Biometric Information Privacy Act (BIPA) was lodged against Wow Bao, a restaurant chain, over its use of self-order kiosks that allow customers to use faceprints as a method to authenticate purchases. (Morris v. Wow Bao LLC, No. 2017-CH-12029 (Ill. Cir. Ct. filed Sept. 5, 2017)). The suit against Wow Bao was not the only BIPA-related suit filed in September, as several businesses with an Illinois presence, including Crunch Fitness and Speedway, Inc., were served with complaints. And more than a week ago, an Illinois federal court refused to dismiss BIPA claims against photo storage service Shutterfly over claims that its photo tagging feature created a faceprint of the non-user plaintiff after a friend uploaded a group photo, and upon the service’s suggestion, then tagged the plaintiff, thereby storing plaintiff’s faceprint and name in Shutterfly’s database without his notice or consent. (Monroy v. Shutterfly, Inc., No. 16-10984 (N.D. Ill. Sept. 15, 2017)).
Even though Washington passed its own biometric privacy law this year, Illinois’s BIPA, which allows for a private right of action, remains the center of biometric and facial recognition privacy-related litigation. Biometric privacy suits previously involved social media services and video game makers, but have increasingly been asserted against businesses that collect biometric data to authenticate customers or employees. As more and more businesses and mobile apps use biometric authentication for consumer transactions, it is likely the above-mentioned lawsuits will not be the last.
Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:
- (1) informs the subject in writing that a biometric identifier is being collected;
- (2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
- (3) receives a written release executed by the subject.
Notably, BIPA provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees.
Wow Bao’s Use of Facial Recognition
According to the complaint, when customers check out on Wow Bao’s self-order kiosks, they may choose to have their faceprint collected and stored in the system and used later to authenticate subsequent food and beverage purchases. The plainitffs allege that defendant violates BIPA by: failing to inform customers in writing of the specific purpose and length of time for which their faceprints were being collected and stored, failing to post a biometric data retention policy, and failing to obtain customers’ written consent to the collection and storage of their biometric information. The complaint seeks statutory damages under BIPA as well as injunctive relief requiring defendant to comply with BIPA’s requirements regarding the collection and use of biometric information.
Three More BIPA Suits
Other biometric-related cases that were filed against Illinois businesses in September include a putative class action suit against the gym chain Crunch Fitness over its alleged collection of members’ fingerprints for the purpose of tracking personal training sessions, purportedly in violation of BIPA. (Knobloch v. Chicago Fit Ventures LLC, No. 2017-CH-12266 (Ill. Cir. Ct. filed Sept. 8, 2017)). The plaintiffs alleged that Crunch failed to obtain the necessary notice and consent before collecting the fingerprints and did not post a data retention schedule. This suit brings to mind a 2016 BIPA settlement concerning a tanning salon’s collection of fingerprints for the purpose of verifying members during check-in. Moreover, in early September, a putative class action was filed against Speedway LLC, the gas station and convenience store chain, over its use of a biometric time tracking system to authenticate employees using fingerprint scans – Speedway was allegedly in violation of BIPA because of a lack of requisite notice and consent and a failure to post a data retention schedule. (Howe v. Speedway LLC, No. 2017-CH-11992 (Ill. Cir. Ct. filed Sept. 1, 2017)). The complaint also alleges that Speedway violated BIPA by “disclosing fingerprint data to an out-of-state vendor,” which itself is also a defendant in the Speedway action and alleged to have violated BIPA due to its purported failure to offer notice and obtain consent to collect such data from the plaintiffs. Similarly, in yet another action, an employee of auto body and glass company, ABRA Auto Body & Glass, filed a putative class action over ABRA’s collection and storage of fingerprints for the purpose of authenticating employees while clocking in and out. The suit claims that ABRA failed to provide the required notice of its biometric collection practices and obtain written consent from its employees. (Fields v. ABRA Auto Body & Glass LP, No. 2017-CH-12271 (Ill. Cir. Ct. filed Sept. 8, 2017)). The Howe and Fields suits recall the recent BIPA-related suit filed this past spring against a supermarket operator that required employees to scan their fingers each time they began or ended their work shifts.
Shutterfly’s Photo Tagging Feature
The ongoing action against Shutterfly is not the first BIPA-related suit against the photo storage service. In 2015, Shutterfly was involved in a similar biometric privacy dispute where that plaintiff claimed he was not a registered Shutterfly user, but that a friend had uploaded group photos depicting him and, upon prompting, tagged him in the photo, thereby adding his faceprint to the database (similarly, the plaintiff in the prior suit, like in the current Monroy suit, was not a user of the Shutterfly service, and had never formally consented to this collection of biometric data). In the prior suit, Shutterfly had failed to convince a district court to dismiss the action, compelling it to later settle the matter. (See Norberg v. Shutterfly, Inc., 2015 WL 9914203 (N.D. Ill. Dec. 29, 2015)).
In Monroy, the court again rejected Shutterfly’s argument that BIPA’s definition of a “scan of facial geometry” only applied to an in-person scan of a person’s face, not one derived from photographs. (See Monroy v. Shutterfly, Inc., No. 16-10984 (N.D. Ill. Sept. 15, 2017)). Ruling that the text of the statute should not be so narrowly-construed, the court stated that if “the legislature had intended a ‘scan of face geometry’ to refer only to scans taken of an individual’s actual face, it is reasonable to think that it would have signaled this more explicitly.” Such an interpretation is not surprising, as other courts have allowed BIPA suits to survive dismissal based upon similar reasoning.
The court also deferred ruling on jurisdictional and constitutional questions involving whether BIPA was being applied in an extraterritorial manner as to Shutterfly, a California corporation, or whether BIPA’s application to the facts of this case would violate the Dormant Commerce Clause.
Regardless of the outcome of the pending BIPA-related disputes, these cases (and the notice and data retention requirements under the Illinois biometric privacy statute) should be looked at closely by businesses with a presence in, or customers from, Illinois, to the extent such businesses collect biometric data. Now that BIPA litigants have expanded their sights to traditional businesses that use biometric data for customer or member authentication and also to employers that use biometrics for employee verification, a reexamination of biometric practices is ever more essential.