Biometric Privacy Litigation: Is Unique Personally Identifying Information Obtained from a Photograph Biometric Information?

• Publication year: 2016
• Author: By Natasha Kohne and Kamran Salour

BIOMETRIC PRIVACY LITIGATION: IS UNIQUE PERSONALLY IDENTIFYING INFORMATION OBTAINED FROM A PHOTOGRAPH BIOMETRIC INFORMATION?

By Natasha Kohne and Kamran Salour¹

I. FACIAL RECOGNITION TECHNOLOGY:THE ABILITY TO PERSONALLY IDENTIFY SOMEONE FROM A PHOTOGRAPH

A. Social Media Sites Store Millions of Individualized Faceprints Generated From Photographs

Millions of people upload their photographs to social media sites such as Google and Facebook every day.² Google Photos touts more than 200 million monthly active users.³ Shutterfly's ThisLife database stores roughly 18 billion images.⁴ And Facebook claims that it has already uploaded 250 billion user photos, with 350 million more uploads daily.⁵

But in today's technological world, with only a mathematical algorithm, any person's face from a photograph can be analyzed and converted into an individualized "faceprint"—a unique identifying tag analogous to a fingerprint.⁶ Creating a faceprint is surprisingly simple: typically, an algorithm measures the relative position, size, or shape of the eyes, nose, cheekbones, and jaw; these measurements are then compared with an existing database of images to determine a match.

Though simple, these algorithms are remarkably effective. Google's FaceNet algorithm reportedly identifies faces with 99.63 percent accuracy. Facebook's DeepFace operates at a reported 97.25 percent accuracy rate. Both algorithms significantly outperform the FBI's facial recognition program, which reports an 85 percent success rate.⁷ To appreciate the effectiveness of these algorithms consider this: if you present a person with two pictures, that person can tell at around a 97 percent accuracy rate whether the same person is in each photograph.⁸

[Page 150]

As is evident from these comparative statistics, a company can generate readily a faceprint and identify a previously unknown individual from that faceprint with facial recognition technology with astonishing precision.

B. Faceprints Raise Potential Biometric Privacy Issues

Both Google and Facebook have amassed considerable faceprint databases. So far, Google Photos has applied automatically more than 2 trillion identifying tags to photographs in its database.⁹ Facebook has not disclosed the size of its faceprint database, but it has called its repository "the biggest dataset in the world."¹⁰

But facial recognition technology sparks a series of privacy discussion points. First, it raises the topic of consent: "Unlike other biometric identifiers such as iris scans and fingerprints, facial recognition is designed to operate at a [greater] distance, without the knowledge or consent of the person being identified. Individuals cannot reasonably prevent themselves from being identified by cameras that could be anywhere—on a lamp post, attached to an unmanned aerial vehicle or, now, integrated into the eyewear of a stranger."¹¹

Second, facial recognition technology raises the topic of safeguarding. Biometric information is unlike other unique personal information such as social security or credit card numbers that if lost or stolen, can be replaced. Biometric information is biologically unique to an individual; if compromised, such information is irreplaceable. Therefore, it is important to know for what purpose biometric information will be collected, how it will be used, and how (and for how long) it will be stored before being destroyed.

Yet another question surrounding biometrics in the facial recognition context—and this article's primary focus—is does information derived from facial recognition technology constitute biometric information? Principally, must a facial recognition scan take place in-person, or does one capture biometric data by simply scanning a photograph?

As is often the case, technology outpaces the law, so the answer to this question remains unsettled. To compound matters, there is no federal statute that governs biometric privacy. And without a federal statute, states are left to create their own statutes to protect their citizens' biometric information. Only two states, Illinois and Texas, have statutes directed to biometric privacy. Texas' biometric statute, Capture or Use of Biometric Identifier (CUBI)¹², has not been the subject of judicial interpretation, while judicial interpretation of Illinois' biometric statute, Biometric Information Privacy Act (BIPA)¹³ has yielded results that are seemingly at odds with BIPA's plain text.

***

Part One of this Article discusses BIPA's origins, the obligations BIPA imposes on individuals and companies, and key BIPA-defined terms. Part Two analyzes how federal courts have interpreted BIPA's scope; specifically, whether under BIPA information derived from photographs constitutes biometric information. Part Three identifies common jurisdictional and constitutional defenses to BIPA claims and discusses their relative success. Part Four explores proposed amendments to BIPA and whether existing and proposed biometric statutes in other states consider unique identifying information derived from photographs to be biometric information. Part Five concludes with a discussion on how the existing uncertain biometric legal landscape has taken the focus off of protecting biometric information and instead given savvy plaintiffs' lawyers license to assert multi-million dollar class action suits against companies alleging BIPA violations but devoid of allegations that an individual's biometric information has been compromised.

II. PART ONE: THE ILLINOIS BIOMETRIC INFORMATION PRIVACY ACT (BIPA)

A. BIPA Was Enacted to Safeguard the Biometric and Corresponding Financial Data of Illinois Residents

In 2008, the Illinois legislature faced a dilemma: Pay By Touch, a California-based company that allowed people to pay for goods and services with only a swipe of a finger,¹⁴ was in bankruptcy, and the California bankruptcy court had just approved the sale of Pay By Touch's database.¹⁵ This was no ordinary database, however. This database housed the fingerprint and financial data of all of Pay By Touch's former customers. Importantly for the Illinois legislature, this database included the fingerprint and corresponding financial data of thousands of Illinois citizens; Illinois had served as a pilot testing site for new applications of biometric-facilitated financial transactions, including Pay By Touch's finger-scan technology. Pay By Touch's bankruptcy posed a serious risk to Illinois citizens whom were left wondering what would happen to their fingerprint and financial data stored in Pay By Touch's database.

Illinois recognized that its citizens needed their biometric information protected.¹⁶ "Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions."¹⁷

The Illinois Legislature responded by enacting BIPA,¹⁸ the first state statute focused on the regulation of biometric information in consumer financial transactions. Put broadly, BIPA aims to set "collection and retention standards while prohibiting the sale of biometric information."¹⁹

From its 2008 enactment until 2015, BIPA remained largely unnoticed, if not altogether unknown. Then, in 2015, three Illinois residents sued Facebook alleging that Facebook's "Tag Suggestions" feature collects, stores, and uses biometric information (i.e., faceprints) in violation of BIPA.²⁰ Though seemingly divorced from the discrete intent of BIPA to secure biometric information used in financial transactions,²¹ this suit sparked several more putative class actions against various social media companies' alleged use of photographic-based facial recognition technology.

B. An Individual's or Company's Obligations under BIPA

BIPA proclaims that "[t]he public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."²²

To achieve this purpose, BIPA makes it unlawful for a private entity to "collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifiers or biometric information, unless it first: (1) informs the subject . . . in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject . . . in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative."²³

If a private entity fails to comply with these requirements, it is subject to civil suit and, at minimum, statutory penalties, per each violation. In particular, BIPA authorizes any person aggrieved by a BIPA violation to file suit against an offending party, and the prevailing party may recover, among other things, $1,000 for each negligent violation, $5,000 for each intentional violation, and reasonable attorneys' fees.²⁴

In short, under BIPA, a private entity must: (1) inform the subject in writing that it collects or stores the subject's biometric identifiers or biometric information; (2) inform the subject in writing of the specific purpose and duration that the biometric identifiers or biometric information will be used, collected, or stored; and (3) obtain the subject's written consent.²⁵ A failure to comply could subject a private entity to civil suit seeking thousands in civil penalties for each alleged violation. For companies like Snapchat and Shutterfly, the number of alleged violations easily rises to the millions.

C. BIPA's Defined Terms Appear to Exclude from...