Faces in the Crowd: Protecting Your Biometric Information in the Internet Age
In the digital world of today, we know that biometric recognition technologies, including fingerprint, face, voice and eye recognition, are a fact of life. Often, these systems are there for additional security purposes, or even for our own convenience.
How many people have scanned a fingerprint into their own iPhone to avoid having to input a security code every time they want access? I have. And when I did, I didn’t think twice about the fact that I was handing over my unique biometric information to my iPhone. Consumers don’t always know that their biometric information is being collected and that’s when potential privacy issues arise.
Illinois is on the cutting edge of biometric privacy law. The state enacted a 2008 statute known as the Biometric Information Privacy Act (“BIPA”), which protects consumers by providing guidelines and limitations on the collection, retention, disclosure and storage of biometric identifiers (defined as retinal scans, iris scans, voiceprints, fingerprints, and scans of hand or face geometry) and also “biometric information” (information derived from biometric identifiers). The statute prohibits companies from collecting and storing this data without first obtaining a person’s informed written consent. The Illinois statute also allows a private person to sue, and permits the plaintiff to recover “for each violation” either $1,000 or actual damages for negligent violations, and $5,000 or actual damages for intentional or reckless violations.
On its face, the statute provides to consumers have a powerful tool to combat the uninformed collection and misuse of their biometric data. But, until very recently, no court had ever confirmed the application of BIPA and its importance to Illinois consumers. In fact, there were no reported opinions at all.
In the first ruling of its kind, Judge Charles Norgle of the United States District Court for the Northern District of Illinois in Norberg v. Shutterfly
held that BIPA covers the use of facial recognition technology derived from photographs, permitting a consumer plaintiff to proceed with his suit against a photo sharing service (Disclosure: LDG is one of the firms serving as counsel for the plaintiff in the Shutterfly
litigation) Significantly, in that case, the plaintiff was not a customer of Shutterfly and did not consent to having his face scanned. Rather, his photo had been uploaded by someone else who was a customer and Shutterfly then took and used the plaintiff’s biometric information.
Though the defendants in Shutterfly
argued that scans of face geometry that come from photographs (as opposed to in-person scans) do not fall within the scope of BIPA, Judge Norgle disagreed. He ruled that the plaintiff’s allegations fit within the plain meaning of the statute and that the plaintiff adequately stated his claim.
is an important case to watch. The litigation is uniquely important for vigilant consumers interested in keeping their biometric information protected and knowing exactly how that information will be used. If the plaintiff is successful, companies will know that they need to disclose the use of biometric information and that the process should be conscious and voluntary for the consumer.