Last week, a federal court in Illinois ruled that the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS § 14/1 et seq.) can apply to companies that do not exclusively control consumers’ biometric data, denying an initial motion to dismiss the complaint for failure to state a claim. The case involves Apple’s Photos app, which analyzes the characteristics of an image’s subject and uses the data to create a faceprint.
At issue was whether Apple “possessed” the faceprints, which are considered biometric identifiers, such that Apple is obliged to comply with BIPA even though the faceprints are stored on user owned devices. See Hazlitt v. Apple Inc., __ F.Supp.3d __, 2021 WL 2414669 (S.D.Ill., June 14, 2021). BIPA requires private entities “in possession of biometric identifiers or biometric information” to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric identifiers and biometric information. 740 ILCS § 14/15(a). Because BIPA does not define the term “possession,” the court in the Apple case used the ordinary meaning of possession as “when a person has or takes control of the subject property or holds the property at his or her disposal.” Notably, the court stated that “[t]he ordinary definition of possession does not require exclusive control[.]”
Apple had moved to dismiss the claim that it failed to comply with BIPA section 15(a) because the plaintiffs did not allege that Apple was in possession of user biometric identifiers. Rather, the plaintiffs alleged that “the facial recognition technology runs on the users’ devices and that the biometric data remains in the solid-state memory on the Apple Device, which is owned and controlled by the user.”
Applying the ordinary definition of possession, the court held the plaintiffs had adequately alleged that Apple possessed their biometric data to state a claim under BIPA section 15(a) because the plaintiffs alleged that Apple had “complete and exclusive control over the data on Apple Devices, including what biometric identifiers are collected, what biometric data is saved, whether biometric identifiers are used to identify users (creating biometric information), and how long biometric data is stored.” The court also pointed to the plaintiffs’ allegation that Apple uses software to “create, gather, and harvest faceprints, which Apple stores in facial recognition databases[,]” and that Apple users “cannot disable the collection of biometric data[.]”
Even though this decision is a preliminary one, the court’s ruling will likely have important ramifications for similar technologies and devices. Certainly, other consumer technology companies with apps that create and store faceprints should be on notice that they may fall under BIPA’s section 15(a) requirements even if they do not have exclusive control over consumer data. Beyond that, companies that create software that scans a user’s retina or iris, fingerprint, or voiceprint may be subject to BIPA even if the company does not store the scans.
This ruling may also ensnare third-party data security vendors who sell or license biometric scanning technology to end users even when the vendors are not storing the data, so long as they control how the data is generated and stored. The key issue will likely be whether the company controls what biometric identifiers are collected, what biometric data is saved, whether biometric identifiers are used to identify users, and how long biometric data is stored. Ulmer’s Cybersecurity & Privacy Practice Group keeps a close eye on developing cases like Hazlitt v. Apple Inc., and can help make sure that you comply with potentially applicable privacy requirements.