Passed in 2008, the Illinois Biometric Information Privacy Act (BIPA) regulates collection of biometric markers such as fingerprints or facial metrics. Since its passage, the Illinois BIPA has been used to restrict technology giants and their use of users’ personal information, particularly photographs. To understand the scale of this, Facebook reported in a 2013 whitepaper that its users have uploaded more than 250 billion photos. It was estimated in 2017 that the total number of digital photos stored in electronic databases was around 5 trillion.
Documenting and categorizing the faces of a significant percentage of the world’s population represents a major opportunity for technology and data companies. Ten years into enforcement and a figurative eternity into the technological evolution of the process, the Illinois BIPA has been an unavoidable feature of the big data landscape. Though potentially impactful cases remain pending (or on appeal), technology companies largely have been unable to convince courts that their facial recognition technologies should escape regulation under BIPA.
BIPA requires explicit consent before a company may, among other things, collect a “scan of . . . face geometry.” (740 ILCS 14/10, 14/15). Facebook, Google, Snapchat and Shutterfly all have facial recognition features hat potentially fall under the BIPA’s regulatory umbrella. By and large, courts have classified these as being subject to BIPA. In one case (In Re Facebook Biometric Information Privacy Litigation, 185 F. Supp. 3d 1155 (N.D. Cal. 2016), Facebook argued that its technology does not perform a “scan of . . . face geometry” because it does not measure distances and angles of human features for identification. Rather, it uses machining learning models to recognize human faces based on detection of “fiducial points” at the pixel level. 2018 U.S. Dist. LEXIS 81044. While the court declined to opine on the operation of Facebook’s facial recognition technology, it interpreted the terms “scan” and “geometry” broadly—and not to require actual or express measurements of spatial or traditionally “geometric” quantities, like distance, depth, or angles, of an entire facial feature. Id. at *11-12.
Technology defendants have also argued for application of BIPA’s photograph exception. BIPA defines two regulated categories: biometric identifiers and biometric information. Biometric identifiers include “retina or iris scan[s], fingerprint[s], voiceprint[s], or scan[s] of hand or face geometry” but specifically exclude a number of items, such as written signatures and photographs. (740 ILCS 14/10). Biometric information is defined to include any information based on an individual’s biometric identifier that is used to identify an individual. (Id.). Information derived from photographs is exempted from the definition of biomettric information. (Id.). Technology defendants seized on this exception, arguing that, because their facial models are derived from user-uploaded photographs, they are exempt from regulation.
So far, courts have not accepted this argument. Shutterfly was sued over its facial recognition software. which analyzed photos uploaded by users against group photos including the same faces. Shutterfly argued that, because BIPA excludes data derived from photographs from the definition of “biometric information,” the Illinois legislature intended to exclude all biometric data obtained from photographs. Monroy v. Shutterfly, Inc., 2017 U.S. Dist. LEXIS 149604, at *7-8 (N.D. Ill. Sep. 15, 2017). As Shutterly further pointed out, the legislative history of BIPA explicitly included facial recognition as a covered topic at one point, although the Illinois legislature ended up adopting what Shutterfly characterizes as the much narrower version present today. While the court recognized the logic behind the argument, it decided that it did not have the contextual support necessary to construe BIPA as narrowly as Shutterfly advocated.
The Facebook decision discussed above determined the photograph exception to apply to “paper prints of photographs, not digitized images stored as a computer file.” In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155, 1171 (N.D. Cal. 2016). According to that court, the drafters included the photograph exception in parallel with written items, such as samples and signatures, in an effort to exempt known identifiers while seeking to broadly regulate unknown, emerging technologies. The “paper print” reasoning has not found traction outside of the 9th Circuit.
The Northern District of Illinois, in Rivera v. Google, Inc., found another basis to reject the electronic photograph exception. Despite Google’s argument that its facial templates were derived from photographs, and therefore excluded from BIPA’s definition of biometric information, the court found that face templates were still biometric identifiers since BIPA does not limit or qualify the definition of biometric identifiers based on how they were derived. Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1095 (N.D. Ill. 2017). Indeed, the Rivera court viewed BIPA as an attempt to regulate new and emerging technologies, and therefore found it unlikely that the drafters would limit its scope based how the biometric identifiers were collected.
The Rivera court construed the biometric identifier clause noting that “the bottom line is that a ‘biometric identifier’ is not the underlying medium itself, or a way of taking measurements, but instead is a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person.” Id. at 1095-96. Of note is how Rivera’s interpretation of the biometric identifier clause should be read in the context of the biometric information clause. The drafters of BIPA chose to define “biometric identifiers” separately from “biometric information,” defining the latter as “any information . . . based on an individual’s biometric identifier.” However, the Rivera court’s definition of a biometric identifier as a “set of measurements” separate and apart from the underlying medium and method of capture appears to subsume all biometric information, creating a layered regulatory structure where biometric information is now construed to be a type of biometric identifier. Plaintiffs must now differentiate between what is both information and an identifier and what is an identifier but not information in order to avoid the biometric information clause’s broader exceptions. There is insufficient legal precedent or plain language in BIPA to allow plaintiffs to make these distinctions and it opens the door for defendants to argue the scope an exception clause that at least at first blush seemed straightforward.
All of this leads to the conclusion that the interpretation of BIPA has adapted to maximize its reach, even with technologies and arguments unknown at the time of its passage.
For more information regarding this article, please contact Matthew Hays.
For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.
To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.
As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.