As we have previously written about, there are several ongoing biometric privacy-related lawsuits alleging that facial recognition-based systems of photo tagging violate the Illinois Biometric Information Privacy Act (BIPA). Add one more to the list. A Chicago resident brought a putative class action against Google for allegedly collecting, storing and using, without consent and in violation of BIPA, the faceprints of non-users of the Google Photos service, a cloud-based photo and video storage and organization app (Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. filed Mar. 1, 2016)).
Under BIPA, an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:
(1) informs the subject in writing that a biometric identifier is being collected;
(2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject.
The statute contains defined terms and limitations, and parties in other suits are currently litigating what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.
The statute also provides that entities in possession of certain collected biometric data post a written policy establishing a retention schedule and guidelines for deleting data when the initial purpose for collection has been satisfied. Notably, BIPA provides for a private right of action, and potential awards of $1,000 in statutory damages for each negligent violation ($5,000 for each intentional or reckless violation), as well as injunctive relief and attorney’s fees.
In the suit against Google, the plaintiff alleges that the Google Photos service created, collected and stored millions of faceprints from Illinois users who uploaded photos (and, like the plaintiff, the faceprints of non-users whose faceprints were collected merely because their images appeared in users’ uploaded photos). The plaintiff claims that, in violation of BIPA, Google failed to inform “unwitting non-users who had their face templates collected” of the specific purpose and length of term of collection, failed to obtain written consent from individuals prior to collection, or otherwise post publicly available policies identifying their face template retention schedules. Plaintiff seeks injunctive relief compelling Google to comply with BIPA, and an award of statutory damages.
Since the named plaintiff claims to be a non-user of the Google Photos service, Google may not be able to transfer the matter to California based upon the forum selection clause in its terms of service. Yet, as with the prior suits against other providers, Google will likely invoke jurisdictional defenses along with multiple arguments about how the Illinois statute is inapplicable to its activities based upon certain statutory exceptions.
We will continue to follow this dispute, along with the other existing biometric privacy-related litigation. Indeed, this past week, the photo storage service Shutterfly, which is facing a similar suit to Google, is seeking to send the matter to arbitration based upon allegations that the unnamed Shutterfly user who uploaded a photo depicting the plaintiff was actually his fiancée (and current wife).