I recently posted a link on LinkedIn to a New York Times article, with the observation that maybe one day soon, a stranger wearing augmented-reality glasses will know who you are, where you live and work and much more. As reported by the Times, Clearview AI developed a controversial facial recognition app that allows users to upload a photo of an individual and receive “public photos of that person, along with links to where those photos appeared. According to Clearview, the app is primarily used by law enforcement agencies. “The system — whose backbone is a database of more than three billion images that Clearview claims to have scraped from Facebook, YouTube, Venmo and millions of other websites.” See above link to New York Times article. Although it is reportedly only being used by law enforcement as a tool to identify suspects in criminal investigations, the app apparently allows monitoring by Clearview, meaning that Clearview may be aware of what should be confidential and secure information relating to suspects and targets of criminal investigations. Furthermore, the potential for misuse of the app to surveil strangers are limited only by the depth of one’s imagination. (To listen to an interesting podcast with the reporter of the NY Times article discussed above, click here.)
In any event, the app is a powerful facial recognition tool and because it scrapes images of people through all types of social networks and media platforms, the images it captures, arguably, may (1) violate the terms of service agreements used by certain sites and/or (2) laws that prohibit the capturing and/or use of biometric imaging, including facial images, without a person’s consent. It is the latter issue that is the subject of a new class action lawsuit filed this past week against Clearview in the matter of Hall et al. v. Clearview AI, Inc., case number 1:20-cv-00846 (N.D. Ill.) in which the plaintiff alleges violations under the Illinois Biometric Information Privacy Act (“BIPA”).
The allegations of the complaint track BIPA, which, in general, seeks to regulate “the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Under BIPA, biometric identifiers include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Among other things BIPA requires a “private entity” (e.g., “any individual, partnership, corporation, limited liability company, association, or other group, however organized,” excluding state and local governmental agencies) to develop and follow written guidelines regarding the retention and destruction of biometric identifiers. BIPA also requires a private entity to provide written disclosures and obtain a written release before acquiring biometric information. BIPA creates a private right of action to aggrieved individuals against a private entity that violates the statute.
Early last year, in Rosenbach v. Six Flags Entertainment Corporation, the Illinois Supreme Court held that a plaintiff does not have to “plead and prove that they sustained some actual injury or damage beyond infringement of the rights afforded them to have standing to sue” under BIPA. In other words, a mere violation of the statute is all that is required for a plaintiff to maintain an action under BIPA. The immediate consequences of that decision informed the litigation and ultimate settlement in the BIPA class action against Facebook, In re: Facebook Biometric Information Privacy Litigation, 3:15-cv-03747, (N.D.Ca.). In the wake of the Rosenbach decision and an unsuccessful appeal to the Ninth Circuit on Article III standing grounds, as well as the Supreme Court’s refusal to hear a further appeal, coupled with the prospect of being subject to billions of dollars in claims for statutory damages under BIPA, Facebook reached a record $550 million settlement in a BIPA (subscription may be required) class action brought in California.
At issue in Clearview, is its polemical app that allegedly captures and scrapes images (i.e., biometric identifiers such as face geometry) without providing any notice or the subject person’s informed written consent. The lawsuit against Clearview alleges, among other things, that in violation of BIPA, Clearview failed to provide “any policy whatsoever establishing either a retention schedule or guidelines for permanently destroying the biometric data,” notwithstanding it is in possession of “biometric identifiers.” The complaint further alleges before capturing, collecting and obtaining such identifiers, Clearview failed to first: a) inform the subject in writing that the information or identifier is being collected or stored; b) inform the subject in writing of the specific purpose and length of term for which the information or identifier is being collected, stored, or used; and, c) receive a written release from the subject of the information or identifier. See Complaint ¶¶ 27-30. The complaint seeks, among other things, statutory damages for each violation under BIPA.
While, for some, the Rosenbach decision gave rise to significant concerns that it would incentivize the plaintiffs’ bar, exposing companies to substantial damages that in certain instances could threaten their viability, the Clearview class action raises a myriad of serious privacy concerns, reflecting the societal tug of war between the various stakeholders seeking to balance the needs of law enforcement with an individual’s right to privacy. How these privacy issues are reconciled, recognized and resolved may be addressed by the court in the Clearview class action, alongside the court of public opinion and state and federal legislatures. Irrespective of the important privacy issues raised in Clearview, there is no question that BIPA has bite. As such, private entities subject to BIPA are well advised to review their policies to ensure compliance.