It is difficult to believe the Illinois Biometric Information Protection Act, 740 ILCS 14, (“BIPA”) has been in effect for more than 10 years since October 3, 2008. Many data collectors are surprised BIPA has been in effect for all these years. Issues related to biometric data have only recently grown into a major concern as the equipment that collects biometric data has evolved to the point that it can be found in a number of Illinois workplaces and businesses. To this point, the central issue in most of the BIPA cases involved allegations that data collectors collected and stored information without providing proper notice. That is, it has been rare to see allegations that an employer or business intentionally violated BIPA. However, cases involving intentional BIPA violations are becoming increasingly common.
In a case recently filed in the District Court for the Northern District of Illinois entitled Carmine v. Macy’s Retail Holdings, Inc., 20-cv-04489 (N.D. Ill. Aug. 5, 2020), a class action plaintiff claims the department store, Macy’s, provided video of shoppers to Clearview AI, Inc. who, in turn, used the video images to gather sensitive data for Macy’s about its customers. The substance of the plaintiff’s allegations is that the use of the video, the submission of the images to Clearview and Macy’s obtaining sensitive data was done without customers’ permission. Before getting into the substantive allegations against Macy’s, the Complaint contains allegations providing background on Clearview based on recent newspaper articles. (“The article  described a dystopian surveillance database, owned and operated by a private company and leased to the highest bidder.”) The Complaint also provides information on reports that Clearview also worked with “2,200 law enforcement agencies, companies and individuals around the world.”
The Complaint alleges that “Macy’s has run the identities of over six thousand individual customers through the database.” This process that allows Macy’s to obtain personal information on its customers includes the following:
- First, Macy’s stores and gathers images of its customers through video surveillance equipment that has been placed in its stores. (Complaint at ¶ 15).
- Next, Macy’s sends the images to Clearview where the images are run through Clearview’s software. (Complaint at ¶ 16).
- “The faces are then processed by Clearview’s software, and their biometric data is extracted. The biometric data is a collection of vectors and/or other data points that allows faces to be classified, searched and indexed.” (Complaint at ¶ 18).
In particular, the database is described as including photographs and personal data of millions of Americans which Clearview obtained by “scraping” social media including Facebook, Instagram and Twitter. If there is a match to the face of the Macy’s customer, the personal information scraped from social media is sent to Macy’s.
It will be interesting to see how Macy’s responds to the allegations to the extent the definition of “biometric identifier” in BIPA does not include video images of a person and further, expressly excludes photographs from the definition. Therefore, while the Complaint alleges Clearview used face scans that assign “vectors” and other “data points” to scrape information, it does not expressly allege Macy’s did anything more than merely collect video images of its customers. A court may struggle with the question of whether Macy’s violated BIPA if it sent the video images to Clearview and personal information on customers while Clearview ran the face scans. Consequently, there may be questions as to whether Clearview violated BIPA and if Macy’s can simply contract work out that may violate BIPA.
Of course, while the complaint filed against Macy’s may signal more litigation against retailers, we have seen this technology at work for quite some time. Taylor Swift used similar technology to the technology used by Macy’s in this matter when she installed face-recognition cameras at her concerts to cross-reference video images against pictures of her stalkers . This technology was explained in the following manner:
Taylor Swift fans mesmerized by rehearsal clips on a kiosk at her May 18th Rose Bowl show were unaware of one crucial detail: A facial-recognition camera inside the display was taking their photos. The images were being transferred to a Nashville “command post,” where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in L.A. “Everybody who went by would stop and stare at it, and the software would start working,” says Downing, who attended the concert to witness a demo of the system as a guest of the company that manufactures the kiosks.
Therefore, society is faced with the question of whether we are comfortable using this technology to sniff out criminals while we are not comfortable with using this technology to obtain information concerning customers.
While the vast majority of the cases involving alleged BIPA violations have been brought by employees against their employers in recent years, we can expect to see an increase in cases brought by consumers. The case involving Macy’s and Clearview AI is worth watching to see how many retailers are gathering information about their customers if retailers and other businesses are also working with Clearview AI and if the retailers or Clearview AI are going to have to face alleged BIPA violations.