The latest question in privacy law is not what’s in a name (or IP address, PHI, TV viewing activity, etc.), but what’s on a face. Consumers are becoming increasingly concerned with how companies are using their biometric information such as facial, fingerprint, and iris information. In one closely watched case, photo sharing website Shutterfly faces allegations that it violated consumer privacy by collecting facial scans without consent.
On September 18, a federal judge in Illinois rejected Shutterfly’s attempt to dismiss a putative class action suit by arguing that the state's privacy statute does not apply to face geometry scans obtained from photographs. The motion also argued that the statute requires a showing of actual injury that was not met and that the plaintiff’s claims raised extraterritorial issues. All three arguments were shot down.
The plaintiff allegedly found his photo uploaded to the Shutterfly site and tagged with his name, despite never having used Shutterfly’s services. According to the lawsuit, Shutterfly then created a map of the plaintiff’s face and stored that data without informing the plaintiff or asking for his consent. Now, following Shutterfly’s unsuccessful motion to dismiss, the case moves forward in an Illinois federal court.
So, Why Illinois?
Illinois is home to the latest trending privacy acronym you need to know: BIPA. BIPA, or the Biometric Information Privacy Act of 2008, is considered to be the strictest biometrics law in the United States. BIPA requires companies collecting biometric data to obtain prior consent, disclose how the company will use the data, and disclose how long the company will store the data. Indeed, it is the only state biometrics law that allows for a private right of action against alleged violators. BIPA makes Illinois one of the top battlegrounds as biometric technologies develop and privacy considerations become more complex.
Companies considering the use of biometric technologies must be prepared for a rise in class actions in this space. Biometric information is particularly sensitive because it involves something that is an actual part of an individual. Proactively complying with BIPA or similar standards can help organizations protect their business and keep up with technological developments while also protecting the customer and keeping regulators at bay. While BIPA may be providing the basis for the primary battleground in the US, this is an area where the laws are evolving and regulators around the world are watching how biometric data is handled.
Arent Fox’s Privacy, Cybersecurity & Data Protection group monitors issues involving data transfer. For more information, please contact Sarah L. Bruno, Donna McPartland, Eva J. Pulliam, or the Arent Fox professional who regularly handles your matters.