This article originally appeared in the September 2022 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
In my Sept. 2019 column, “Biometrics, the Law and Your Company” (www.securityinfowatch.com/21094070), and my Dec. 2019 column, “More Major Companies Fighting Illinois Biometrics Law” (www.securityinfowatch.com/21114899), I wrote about one of the most stringent and robust privacy statutes in the country – the Illinois Biometric Information Privacy Act (BIPA).
Under BIPA, private entities are not permitted to “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless they follow certain procedures – such as obtaining prior notification and consent and developing a publicly available, written policy governing how long any biometric data will be retained.
BIPA uniquely provides individuals with a private right of action for money damages for each violation – making it a powerful tool for plaintiffs’ lawyers.
Indeed, several prominent companies have faced class actions or other lawsuits under BIPA, including Facebook, Home Depot, Lowe’s and other large companies.
Ring Under the Microscope
In 2020, Ring LLC (a subsidiary of Amazon) was sued under BIPA in Wise v. Ring LLC on the basis that its video cameras collected, stored and used plaintiff’s (and other similarly-situated individuals’) biometric identifiers and biometric information without their informed written consent.
The plaintiff claims that Ring uses video footage collected from its cameras to improve its patent pending facial recognition technology, which it allegedly stores in an unencrypted format and allows staff around the world to process. It was also alleged that Ring has created millions of face templates from Illinois residents whose faces were captured by Ring’s cameras without obtaining the consent required under BIPA.
Notably, the proposed class of plaintiff excludes any Illinois resident who purchased a Ring camera – presumably because they have consented or are deemed to have consented to the collection of their biometric information.
In 2022, Ring moved to dismiss the plaintiff’s First Amended Complaint. Among other things, Ring argued that the plaintiff failed to state a claim under BIPA because she did not allege any “biometric data” collected, captured, or possessed by Ring can be used to identify her. Specifically, Ring noted the plaintiff has no contractual relationship with Ring and that any alleged face templates gathered are not biometrics under BIPA because they do not include identifying information such as a name, address, or phone number tying the images to a person.
Courts are divided on whether non-users, such as the plaintiff in the Ring litigation, can make a claim under BIPA. In Zellmer v. Facebook Inc., cited by Ring, the court held that the Illinois legislature intended BIPA only to apply in situations where a business had at least some relationship with the people subject to biometric data collection. In that case, Facebook was required to comply with the notice and consent requirements of BIPA for its known users, but not for any unknown users. This was because Facebook had no method to notify and receive consent from any non-users whose faces may be scanned in photos uploaded to its website.
Unfortunately for Ring, a federal judge in Seattle did not agree. In an Aug. 3, 2022, decision denying Ring’s motion to dismiss, the court held that Ring must face allegations that it used its cameras to record passersby and collect their biometric data without their consent. Specifically, the court stated that it could not determine conclusively – at this early stage of the litigation – whether Ring has a system capable of immediately identifying individuals from their biometric data. The court pointed to Ring’s partnership with law enforcement and Ring’s patent applications for the proposition that Ring’s facial recognition technologies are intended to identify individuals, including non-users.
This denial of Ring’s motion to dismiss does not mean that Ring’s cameras violate BIPA; rather, it means only that plaintiff’s claims can proceed to the next phase of litigation. More to come.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
