Header graphic for print
New Media and Technology Law Blog

Photo Storage Service’s Collection of Faceprints May Violate Illinois Biometric Privacy Statute

Posted in Biometrics, Internet, Privacy, Social Media

As we have previously noted, there are several ongoing privacy-related lawsuits alleging that facial recognition-based systems of photo tagging violate the Illinois Biometric Information Privacy Act (BIPA). The photo storage service Shutterfly and the social network Facebook are both defending putative class action suits that, among other things, allege that such services created and stored faceprints without permission and in violation of BIPA.  In the suit against Shutterfly, plaintiff claims he is not a registered Shutterfly user, but that a friend had uploaded group photos depicting him and, upon prompting, tagged him in the photo, thereby adding his faceprint to the database (plaintiff, as a non-member of the service, had never formally consented to this collection of biometric data). Shutterfly had filed a motion to dismiss, arguing that scans of face geometry derived from uploaded photographs are not “biometric identifiers” under BIPA because the statute excludes information derived from photographs.

Last week, an Illinois district court denied Shutterfly’s motion to dismiss (Norberg v. Shutterfly, Inc., No. 15-05351 (N.D. Ill. Dec. 29, 2015)).  In a terse order, the court first found that there were sufficient minimum contacts to establish specific personal jurisdiction over Shutterfly in the Illinois forum.  Next, the court considered the claim under the Illinois biometric privacy law. Without engaging in a thorough analysis of the statute and its exceptions at this early stage in the litigation, the court ruled that the plaintiff could proceed with his claim under BIPA:

“Here, Plaintiff alleges that Defendants are using his personal face pattern to recognize and identify Plaintiff in photographs posted to Websites. Plaintiff avers that he is not now nor has he ever been a user of Websites, and that he was not presented with a written biometrics policy nor has he consented to have his biometric identifiers used by Defendants. As a result, the Court finds that Plaintiff has plausibly stated a claim for relief under the BIPA.”

We will continue to closely watch the ongoing litigation surrounding biometric privacy – particularly since the specific Illinois biometric privacy statute has yet to be interpreted in great depth by a court with respect to facial recognition technology.