While there has been a huge increase in class action cases based on alleged violations of the Illinois Biometric Information Act (“BIPA”), it has not gone unnoticed that the vast majority of the recent cases are limited to allegations brought by employees against their employers rather than by customers. That is, the case law is developing into two distinct branches: BIPA customer cases and BIPA employment cases.
The rapid development of BIPA employment cases is surprising to the extent the Illinois Supreme Court’s decision in Rosenbach v. Six Flags, 2019 IL 123186 (Jan 25, 2019) involved a customer of the Six Flags amusement park. It is still unclear if the BIPA customer lawsuits are not developing as quickly because equipment that collects biometric data is not being used for customers or customers are still unaware that their data is being gathered. Either way, there is little question that data collectors must brace for the next wave of BIPA cases brought by customers.
BIPA lawsuits related to photo storage applications provided by Google LLC (“Google”) and other social media companies are providing some guidance on BIPA customer cases. In particular, Google Photos collects and stores photographs and promises to provide “[f]ree storage and automatic organization for all your memories.” There are allegations that this technology uses “face templates” of the subjects in the photographs. This photo application has provided a number of BIPA cases outside the employment cases currently working through the courts.
A New BIPA Customer Lawsuit Involving the Google Photo App
On February 6, 2020, Brandon Molander (“Molander”) filed a Class Action Complaint against Google LLC in the District Court for the Northern District of California based on alleged BIPA violations. Molander claims Google “created, collected, and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face prints’)—highly detailed geometric maps of the face—from millions of Google Photos users.” (Molander Complaint at ¶ 5). The Molander Complaint continues: “Google creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces that appear in photos taken on Google Android devices and uploaded to the cloud-based Google Photos service.” In particular, the Molander Complaint alleges that with this technology, “[e]ach face template that Google extracts is unique to a particular individual, in the same way, that a fingerprint or voiceprint uniquely identifies one and only one person.”
The Molander Complaint provides the following concerning Google’s technology:
- “In May 2015, Google announced the release of its photo sharing and storage service called Google Photos. Users of Google Photos upload millions of photos per day, making photographs a vital part of the Google experience.” (Complaint at ¶ 19)
- The Google Photos app is pre-installed on all Google Android devices and “is set by default to automatically upload all photos taken by the Android device user to the cloud-based Google Photos service.” (Complaint at ¶ 20)
- “Unbeknownst to the average consumer, and in direct violation of [Illinois’ Biometric Information Protection Act], Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e. biometric identifiers of each face, and then uses that data to create and store a template of each face – all without ever informing anyone of this practice.” (Complaint at ¶ 21)
Based on these allegations, Molander claims Google improperly collected, used and stored his biometric data without obtaining a written release, used his information without properly notifying individuals that his information was being gathered and used his information without providing a public “retention schedule or guidelines for permanently destroying the biometric identifiers and/or biometric information.”
Guidance For BIPA Customer Lawsuits
We have seen similar lawsuits filed against Google before Molander v Google LLC. For example, the Eastern District for the Northern District of Illinois analyzed BIPA claims related to Google Photos in Rivera v Google, Inc.,16 C 02714 (N.D. Ill 2016). In Rivera, the District Court found claims by Plaintiffs that Google collected, uploaded and scanned photographs to create “facial templates” were sufficient to survive Google’s motion to dismiss. The District Court rejected Google’s argument that Plaintiffs’ class-action lawsuit should be dismissed because BIPA does not “apply to photographs or information derived from photographs.” Plaintiffs countered that face geometry scans constitute “biometric identifiers” under BIPA and, thus, must be protected. Ultimately, on December 29, 2018, the Eastern District granted Google’s motion for summary judgment finding “Plaintiffs have not suffered an injury sufficient to establish Article III standing and their claims are dismissed.” Therefore, based on this case, Molander may have an uphill battle to establish Google violated BIPA with the collection, storage and use of his photographs. (The Privacy Risk Report closely followed the Rivera case.)
While only the Class Action Complaint has been filed at this point in Molander v. Google LLC, case no. 20-cv-918, there are some recent developments that may provide guidance in the Molander case and BIPA customer cases.
First, we have seen many of the biometric data cases, outside the employment context, reach a resolution since Rivera was decided by the District Court for the Northern District of Illinois. The most recent example was seen a couple of weeks ago when it was widely reported in January 2020 that Facebook settled its own class-action lawsuit for $550 million based on claimed violations of Illinois’ Biometric Information Protection Act. The Facebook lawsuit seems to be based on technology that is similar to the technology at issue in Molander v. Google LLC: “The suit said the Silicon Valley company violated an Illinois biometric privacy law by harvesting facial data for Tag Suggestions from the photos of millions of users in the state without their permission and without telling them how long the data would be kept.” Therefore, it will be important to watch the Molander case to see if a large settlement for this technology is a trend that continues. The Facebook settlement will undoubtedly get plaintiffs’ class actions lawyers thinking about BIPA customer cases.
Additionally, there are questions as to how this technology will be used by companies for marketing or other unapproved uses. For example, we can expect to see more news about Clearview AI. Clearview AI created a massive database of photographs (estimates of 3 billion photographs so far) “scraped” from social media. At this point, Clearview AI has made this database only available to law enforcement. Since the Rivera case, companies such as Clearview AI provide a glimpse of how this technology can be used and the control people may lose over their biometric data. These new uses for this technology may view how courts decide these cases. Over the next few months, we will see if the initial wave of BIPA employment cases crests and if BIPA customer cases pick up the pace.