InfoBytes Blog
Federal District Court Allows Discovery in Class Action Concerning Internet Company’s Collection of Biometric Data
In a Memorandum Opinion and Order handed down on February 27, a District Court in the Northern District of Illinois declined to dismiss a putative class action alleging that a cloud-based photographic storage service offered by an Internet company (the Company) violated the Illinois Biometric Information Privacy Act (BIPA) by automatically uploading plaintiffs’ mobile photos and allegedly scanning them to create unique face templates (or “faceprints”) for subsequent photo-tagging without consent. Specifically, the Court rejected the Company’s argument that application of BIPA to facial geometry scanning by by an internet service located outside of Illinois is an improper extraterritorial application of Illinois law.
The Plaintiffs alleged that the Company failed to both (i) obtain the necessary authorization or consent to the creation and subsequent storing of “faceprints” by the photo storage service, or (ii) make publicly available a data retention and destruction schedule as required under the BIPA. In responding to these claims, the Company argued that the term “biometric identifier,” as defined in the BIPA, does not extend to “in-person scans of facial geometry” and does not cover photographs or information derived from photographs. The Company also sought to dismiss the case on jurisdictional grounds, arguing that under principles of federalism, pre-emption, and the extra-jurisdictional application of state law, the BIPA cannot properly regulate activity – such as the storage of data on the Company’s servers – that does not occur “primarily and substantially” within the state of Illinois.
In analyzing the Company’s argument, the Court looked to the following two definitions set forth in the Illinois law:
- “Biometric identifier,” which is defined as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and explicitly “do[es] not include writing samples, written signatures, photographs. . . .”; and
- “Biometric information,” which is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual,” and explicitly “does not include information derived from items or procedures excluded under the definition of biometric identifiers.”
Ultimately, the Court disagreed with the Company’s reading of “biometric data” because, among other reasons, “nothing in the text of [the BIPA] directly supports this interpretation.” The Court deferred deciding on the Company’s arguments that the claims would require extraterritorial application of the statute and/or would violate the Dormant Commerce Clause by reaching beyond state boundaries, because, among other reasons, “[d]iscovery is needed to determine whether there are legitimate extraterritoriality concerns.”
On March 9, the Company filed a motion seeking permission to file an interlocutory appeal to the Seventh Circuit, with a request for a stay of further proceedings pending the appellate court’s decision on the request for an appeal.