Snapchat’s parent company is defending against a class-action lawsuit in the U.S. District Court for the Northern District of Illinois brought by two platform users identified as Adrian Coss and Maribel Ocampo. 

The lawsuit alleges that the platform violates the Illinois Biometrics Information Privacy Act by failing to provide users with the required disclosures under the act while collecting, storing and sharing users’ unique facial features and voices. 

The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Lanton Law’s technology practice, which includes biometrics and privacy issues, has been monitoring the Illinois Biometric Information Privacy Act for some time. We have posted several blogs addressing this issue as companies continue to evolve biometrics into their business models. 

Lanton Law is a national healthcare and life science boutique law and government affairs firm that closely monitors legislative, regulatory and legal developments for our clients. Our healthcare practice can help stakeholders understand what’s at issue so that we can help our valued clients reach their goals. Contact us to learn about how either our legal or lobbying services can help you attain your priorities.   

Lanton Law’s publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without prior written consent of us. To request reprint permission for any of our publications, please use our “Let’s Chat” form, which can be found on our website at www.lantonlaw.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship.

The Illinois Biometric Information Privacy Act enacted in 2008 was an important first step in developing policy on biometrics. According to the law, a private entity possessing biometric information accessible to the public must have a retention schedule and policy for permanently destroying biometric information. Additionally, there are restrictions on how a private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information. Most importantly, this law requires obtaining written consent prior to collecting biometric information as the law provides a private right of action for anyone injured under the Act. 

Interestingly, the case of Patel v. Facebook is an illustration of how this law applies to our growing dependence on technology. The question in Patel, is whether the collection of an individual's biometric data in violation of the Illinois Biometric Information Privacy Act is sufficient to establish Article III standing. According to the complaint, plaintiffs’ allege that Facebook subjected them to facial-recognition technology without complying with an Illinois statute intended to safeguard their privacy. Since the plaintiff did not allege substantive harm, the defendant moved to dismiss the case on Article III standing grounds. However; the Ninth Circuit stated that “Because a violation of the Illinois statute injures an individual’s concrete right to privacy, we reject Facebook’s claim that the plaintiff have failed to allege a concrete injury-in-fact for purposes of Article III standing.”

This case is in contrast to Santana v. Take-Two Interactive Software, Inc. who in 2017 interesting had the same Illinois law at issue. In this case plaintiff purchased NBA 2K15 and used the MyPlayer feature that allowed the creation of MyPlayer avatars. However; the Illinois Biometric Information Privacy Act’s private right of action allowed for plaintiff to allege that defendant “(1) collected their biometric data without their informed consent; (2) disseminated their biometric data to others during game play without their informed consent; (3) failed to inform them in writing of the specific purpose and length of term for which their biometric data would be stored; (4) failed to make publicly available a retention schedule and guidelines for permanently destroying plaintiffs’ biometric data; and (5) failed to store, transmit, or protect from disclosure plaintiffs’ biometric data by using a reasonable standard of care or in a manner that is at least as protective as the manner in which it stores, transmits, and protects other confidential and sensitive information.”

The Second Circuit in contrast to Patel, found that the plaintiff lacked standing for this claim because they did not allege that this deficient notice created any material risk that would have “resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

So what happens now? First Santana is a summary order which means that this is not binding precedent on the Second Circuit. The Patel court attempted to distinguish itself from Santana by saying that in Patel unlike Santana, the plaintiff did not know that their biometric information was being collected. It seems like the U.S. Supreme Court may be the appropriate forum to settle this split decision by the Court of Appeals. This is especially true as Congress has not yet passed a federal biometric law that could put all questions to rest. Needless to say that as technology companies look for innovative ways to deliver advanced customer experiences, these stakeholders may want to forecast how their new products may be impacted by enacted laws like biometrics. Contact Lanton Law for additional information.  

Recently, we have learned of Amazon’s new hand scanning idea to revolutionize consumer interactions via fintech. The idea would involve creating a payment system that would biometrically scan a user’s hand to transfer payment from the user to Amazon, instead of via a credit card, phone application or cash. New point of sale terminals equipped with this technology would be placed in brick and mortar stores so that customers can “travel lighter” by not having to worry about carrying physical payment forms. There are early indications that Visa will be working with Amazon on this idea, along with potentially Mastercard, J.P. Morgan, Wells Fargo and others. While this theoretically sounds like a logical fit for where technology and banking or “fintech” is moving, are there laws in place that govern biometrics? 

Surprisingly, there is not a lot of established law on the issue of biometrics. We first started hearing about biometrics in 2014 with a Congressional bill titled the “Biometric Information Privacy Act,” also known as H.R. 4381. Sponsored by Representative Stockman (R-TX), the bill called for penalties to a business entity, governmental entity or person who knowingly (1) fraudulently obtains personal physiological biometric information relating to an individual; or (2) discloses personal physiological biometric information without permission from the individuals to which the personal physiological biometric information pertains. That bill did not get much traction. 

Congressional members have recently taken a cautious tone when dealing with Amazon’s cutting edge technology. For example, in late 2018 Rep. Jimmy Gomez (D-CA) joined by Senator Edward Markey (D-MA), Reps. Luis Gutiérrez (D-IL), John Lewis (D-GA), Judy Chu (D-CA), Ro Khanna (D-CA), Pramila Jayapal (D-WA), and Jan Schakowsky (D-IL) sent a letter to Amazon Chairman, President, and CEO Jeff Bezos, requesting information about Amazon’s facial recognition technology, branded and sold as “Amazon Rekognition. The letter expressed concern of the technology’s potential impact on communities of color. And while there are no federal rules outlining biometrics, we do see federal agencies speaking with the tech community on utilizing biometric technology for future unspecified projects.

State policy on this issue has been a bit of a mixed bag. While Illinois, Washington and Texas have biometric laws on the books, other states are following suit. Florida, Arizona, Massachusetts, Connecticut and New Hampshire to name a few are states that are debating biometrics, while California is about to undergo implementing its CCPA otherwise known as the California Consumer Privacy Act protections. We wrote a prior blog on the specifics of the new California law, which we believe will be a precursor to similar policies being developed in the near future.  

In conclusion, we expect fintech to continue to be ahead of the law as companies like Amazon push forward to create marketplace solutions that provide convenience and a relatable user experience.  The question becomes whether policymakers are comfortable with the pace of expansion and the awkwardness of proceeding with little to no regulatory oversight on something as personal to us as our biometrics.

Contact Lanton Law for additional information or for strategies on how to deal with unsettled legal and policy within biometrics.