Biometric Data Theft & Class Action Data Misuse Lawsuits
Class Action Personal Data Privacy Attorney investigating biometric data theft claims on behalf of plaintiffs nationwide
Personal Data that may be convenient for commercial or security purposes has been misused and stolen, and some consumers are filing legal action as a result.
In August 2020, plaintiffs in Illinois filed a proposed class action lawsuit against Macy’s for allegedly using facial-recognition software to identify shoppers in Chicago stores. The complaint claims that Macy’s is in violation of the state’s Biometric Information Privacy Act (BIPA). Under the law, protected biometric data includes facial images used for facial recognition.
In the Macy’s lawsuit, the chief complaint focuses on the department store’s use of facial recognition software created by Clearview AI. The software was originally designed as a law enforcement tool, and it is able to match captured facial images to a database of images found on the internet from sources like Facebook and other social media sites.
The lawsuit claims Macy’s used the Clearview software to identify and track customers, as well as collected images of shoppers from in-store surveillance systems. Attorneys said in the lawsuit that the harvesting of biometric data was in clear violation of BIPA.
It is important to note that while BIPA is Illinois-born, the law extends beyond the borders of the state. Any business that collects and uses the biometric data of individuals located in Illinois must comply with BIPA. For example, is an Ohio business conducts operations that involve the collection or use of biometric data in Illinois, they must follow the same biometric privacy statute.
Biometric Data Misuse Violations
The claim against Macy’s includes allegations that Macy’s is both profiting from the use of facial recognition software, and violating the state BIPA violations. More states are currently seeking to expand or develop biometric privacy protection laws and consumer privacy advocates have raised concerns regarding corporate behavior in the data privacy arena.
Biometric data privacy violations may include a failure to get written informed consent from consumers, a failure to have a standard information retention policy, and profiting off information gathered through illegal marketing. Lawyers in notable biometric data theft lawsuits are seeking statutory damages of $5,000 per occurrence.
TikTok Data Privacy Lawsuits
Recent lawsuits filed in Illinois and California allege that TikTok has violated biometric data privacy laws. The case against TikTok alleges that facial biometric data is routinely collected by the app and sent abroad. TikTok denies the allegations, though the company says that even if the company transfers data to China or elsewhere, it would not be in violation of any law.
Technology experts hired by the plaintiffs say data is being mined and data on consumers’ mobile phones could also be vulnerable. TikTok has skyrocketed in popularity even as it is being sued for allegedly violating users’ privacy rights.
Four unnamed minors in Illinois, represented by their legal guardians, filed the suit for allegedly violating privacy laws protecting users’ biometric information, including possibly facial, fingerprint and iris scans. Plaintiffs say tens of thousands of users could be affected.
TikTok uses a facial recognition software to superimpose filters on users’ faces, and artificial intelligence to determine the user’s approximate age. According to lawyers, TikTok allegedly acquires the user’s facial geometry in the process.
The Illinois biometric privacy law has been cited in cases against Google and Facebook. In January 2020, Facebook agreed to pay $550 million to users to settle allegations that its facial tagging feature had violated biometric privacy law.
Biometric Information Privacy Act
The Biometric Information Privacy Act (BIPA) is one of the most modern examples of state legislation intended to regulate companies’ use of biometric data. Some of the more important provisions of the privacy law include:
- Requirements for companies to seek informed consent prior to collecting personal biometric data
- A limitation of rights to sell or disclose collected biometric data
- A requirement for companies to create confidentiality and data retention guidelines
- A prohibition of profiting from collected biometric data
- The right of legal action for individuals affected by data theft violations
- Enacting damages from $1,000 to $5,000 per negligent or reckless violation.
Not only do some states regulate a business’s use of biometric data, but they allow for individuals to bring legal action against companies that violate state biometric data laws. In January 2019, the Illinois Supreme Court ruled that private individuals can file data theft claims if they are able to show that their privacy rights have been violated.
Biometric Data Misuse Litigation
Although some legislation protecting consumers from companies misusing their biometric data has been passed since 2008, class action lawsuits have not been filed until relatively recently. Companies have tried to shift away from potential legal trouble, but may are still toeing the line between legal marketing tactics and invasive schemes.
At the moment, only Illinois has passed biometrics legislation that provides for a private right of action, while Texas, Washington, California, New York, and Arkansas have passed biometric statutes only allow enforcement by the state attorneys general.
Clearview Data Lawsuit
In February 2020, a class-action lawsuit was filed against the facial recognition company, Clearview AI. This was not the first lawsuit filed this year against the company. Clearview AI’s technology can provide image matches of uploaded photos of any person, along with links to its web origin. Complaints filed against the company cite violations of the California Consumer Privacy Act (CCPA) and Clearview faces allegations of using face scan data without express consent.
Clearview AI has built a database of over three billion photos, most scraped from websites and social media platforms. The company previously looked to law enforcement agencies for business, but Clearview has since expanded into markets in both the private and public sectors, including several retailers.
Pending class action lawsuits against Clearview AI allege that the widespread technology poses a threat to individual privacy. Attorneys highlight personal data concerns that could arise in the event of data theft and data breach incidents. Critics of the technology call it “Orwellian” by design and say it poses a real risk to the future of private citizens’ security.
Even major tech companies have their own concerns with Clearview. Twitter sent Clearview a cease-and-desist letter, claiming its policies were violated when data was scarped from its platform. LinkedIn and Google also sent cease-and-desists with similar claims. Facebook is demanding that Clearview stop using image data lifted from user profiles. Apple suspended Clearview’s developer account, saying the company had violated its Enterprise Developer Program terms of service.
What is Considered Biometric Data?
Beginning around 2015 data privacy litigation started to take off. But attorneys have had to prove what data is and is not biometric data. DNA is unquestionably biometric in nature, but what about images of individual faces? There are still many unknowns but litigation is proceeding nonetheless.
Some statutes regulate the collection and storage of a wide variety of identifiers such as the following:
- Retina scans
- Iris scans
- Palm prints
- Voice recognition
- Facial recognition
- DNA recognition
- Gait recognition
- Scent recognition
Employment & Biometric Data Storage
Biometric data laws apply to all industries, including private companies and individuals. The most frequent legal trouble involves employers that collect employees’ biometric information to monitor clocking in and out, productivity, security clearance, and system login. Under existing laws, private entities that utilize biometric information must have a written policy, schedule, and guidelines for its collection, retention, and ultimate destruction.
Individual State Privacy Laws
The Illinois statute prohibits an entity from collecting biometric information unless it fulfills the following:
- Informs individuals in writing that their biometric data is being captured
- Outlines the purpose and period of time for which the data will be utilized
- Receives a written release from individuals consenting to the data collection
Other states have been scrambling to catch up with modern advances and have been slow to provide biometric policies. Most states have no comprehensive biometric regulations. The following states are exceptions:
- Texas has its own biometric privacy act which provides that a person cannot capture a biometric identifier without a prior consent, and may not sell biometric date without consent. A company or person must use reasonable care in storing it, and “shall destroy the biometric identifier within a reasonable time.” Violators may face a civil penalty of $25,000 for each violation,
- Washington passed biometric privacy legislation in 2017. The law prohibits any company or individual from entering biometric data into a database for a commercial purpose without providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
- The California Consumer Privacy Act (CCPA) regulates biometric data by including it in the definition of “personal information.” Biometric data is defined in the CCPA to include physiological, biological or behavioral characteristics, including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings.
- New York has passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which broadens the definition of private information to include biometric information. The law applies specifically in the employment context and prohibits fingerprinting “as a condition of securing employment or of continuing employment.”
- Arkansas amended existing laws and revised the definition of covered personal information to now include biometric data.
Other states have introduced biometric legislation but most laws have not yet been enacted.
Data Misuse Litigation
The future of data privacy litigation is in the hands of congressional legislators, the U.S. Judicial System, and consumer privacy attorneys who represent plaintiffs in data misuse cases. When handling such a new area of law like biometrics, legal conflicts are likely to create confusion, but privacy is a cause worth fighting for. Cases against TikTok and Clearview AI are important for future data privacy laws and precedent.
As in past data misuse and facial recognition lawsuits (Facebook’s $650 million settlement), Clearview AI may likely reach a settlement. We do know with the current data-rich environment, we can expect many more class action data misuse and data privacy lawsuits. The Lyon Firm is committed to long and complex litigation, and has the resources to build strong class action cases.
Biometric Data Lawsuits, Biometric Privacy, Clearview AI Lawsuit, Data Broker Lawsuit, Data Misuse, Data Privacy Lawyer, Facebook Privacy Lawyer, Facial Recognition Lawsuits, Ohio Data Privacy Lawsuit, Social Media Privacy Lawsuit, TikTok Lawsuit