- Privacy Risk Report - https://privacyriskreport.com -

Face It, We Are Going To See A Lot Of The Illinois’ Biometric Information Protection Act In Courts

Over the last few weeks, the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1 et seq [1].) has presented a number of unique questions for courts.  On February 14, 2017, we addressed Vigil v. Take-Two Interactive Software, Inc., where the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game [2].  This week, the Eastern District for the Northern District of Illinois analyzed BIPA in Rivera v. Google Inc. [3], 16 C 02714 (N.D. Ill 2016), and found allegations that Google created and stored face-scans taken from pictures taken on Google devices may constitute a violation under BIPA and at least may survive a motion to dismiss.

In Rivera, the Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates”  were sufficient to survive Google’s motion to dismiss.  In particular, Plaintiff Rivera alleged that the scans “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.”  Likewise, Plaintiff Weiss claims he took approximately twenty-one photos which were uploaded to the cloud based server and were scanned “to create a custom face-template based on Weiss’s features.”  Plaintiffs claim their face-templates were used “to find and group together other photos of them” and to “recognize their gender, age, race, and location.”

Under the section of the Rivera decision entitled “Face Geometry Scans,” Google asserted that Plaintiffs’ class action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected.  The District Court denied Google’s motion to dismiss based on a finding that Plaintiffs sufficiently alleged that Google’s actions fell into the definitions found in BIPA and may have been violations of the Act.

The District Court first examined the meaning of “Biometric Identifier” as used in BIPA.   The Act defines this term as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  The District Court further noted that this list is “a biology-based set of measurements (“biometric”) that can be used to identify a person (“identifier”). BIPA also provides at lengthy list of items that are not biometric identifiers which include, but are not limited to photographs.  (“Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used fro valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color or eye color).

Based on the definition of “Biometric Identifier” and the list of items not included in the definition, the District Court found the allegations in Plaintiffs’ Complaint involving “face templates” qualified as a biometric identifier under BIPA. The District Court rejected Google’s argument that “only face scans that are done in person can qualify…” for protection under BIPA.

The District Court also rejected Google’s assertion that the face templates were not biometric identifiers since photographs were one of the items expressly removed from the definition of biometric identifier under BIPA. The District Court’s decision was based on its finding that the Plaintiffs were not alleging the photographs themselves were biometric identifiers.  The District Court rejected Google’s argument that the separate definitions of “biometric identifier” and “biometric information” somehow “distinguish the ‘source of the content.’”  The District Court’s decision provides the following excerpt from Google’s brief concerning this argument:

What is derived from a person is a ‘biometric identifier,’ and what is subsequently derived from a biometric identifier is “biometric information.’ The statute’s structure thus confirms that a ‘scan of…face geometry’ must be derived from the person herself.  Plaintiffs’ reading of the statute would collapse this careful structure, rendering the distinction between ‘biometric identifier’ and ‘biometric information’ meaningless. 

The District Court summarized Google’s position as: “…Google is arguing that if biometric information cannot be ‘based on’ something from the biometric-identifier paragraph’s ‘do not include’ list (for example, ‘photographs’), then an identifier may also not be ‘based on’ something from that same list.” And, the District Court rejects this argument by making the following distinction between these terms:

…the things on the list of biometric identifiers are just that—specific, biology based measurements used to identify a person, without reference to how the measurements were taken. And,…the ‘biometric information’ goes on to ensure that private entities cannot to an end-around the Privacy Act by converting biometric identifiers into some other format.” 

In the alternative, Google argued that BIPA does not apply even if it collected and used the photographs since Google did not act in Illinois. We will address the District Court’s analysis of this issue in our next post.

It is important to note that, in denying Google’s motion to dismiss, the District Court leaves the question open of whether Google’s arguments would hold up “once further factual development has occurred in discovery.” Therefore, in finding additional discovery is needed on this issue, the Court finds Plaintiffs adequately stated a claim under BIPA to survive the motion to dismiss.  The District Court further held that “[i]t is conceivable that discovery will reveal that what Google is actually doing does not fit within the definition of biometric identifier as interpreted by the Court.”  This case, and many cases currently in the courts involving these issues, will provide a unique opportunity to watch the development of various privacy legislative acts and allow us to see whether the current laws keep up with the development of technology.