On February 14, Northern District of Illinois Judge Sharon Johnson Coleman rejected Clearview AI’s arguments that Illinois’ Biometric Information Privacy Act (BIPA) violated the First Amendment.

In 2020, Clearview AI was accused of violating BIPA in multiple cases filed in the Northern District of Illinois and the Southern District of New York. The plaintiffs alleged that Clearview AI covertly scraped over three billion photographs of facial images from the internet and used artificial intelligence to scan and harvest each individual’s unique biometric data without their knowledge or consent. The cases were consolidated into a multidistrict litigation in the Northern District of Illinois on January 8, 2021, styled In re: Clearview AI, Inc. Consumer Privacy Litigation.

In its motion to dismiss, Clearview AI argued, inter alia, that its capture of faceprints from public images and its analysis of the public faceprints was protected speech under the First Amendment. It asserted that it merely collected public photographs from the internet, created facial vectors, and compared them to images provided by law enforcement. This conduct, according to Clearview AI, helped law enforcement identify criminals, including some who had engaged in sexual exploitation of children and even those who participated in the January 6, 2021, Capitol riots. The database and search engine were never made public or sold to anyone.

In response, the plaintiffs contended that the capturing of faceprints and the action of extracting private biometric identifiers from the faceprints is unprotected conduct, not speech. They argued that a person’s sensitive biometrics do not somehow become “public information” simply because they can be harvested from public photographs. That the photographs were public was inapposite. As the plaintiffs asserted, “[t]his case is not about Defendants’ collection of online photographs. It is about Defendants’ trespass on the private domains of millions of Americans by harvesting their unique and immutable biometrics for personal gain.”

The ACLU filed an amicus brief supporting the plaintiffs’ argument, explaining that faceprints are “measurements of our immutable and unique biological characteristics — akin to fingerprints or DNA profiles.” Thus, “unlike a social security or passport number, they cannot be changed or protected once control is lost.” The ACLU challenged Clearview AI’s description of its services as “a search engine that merely analyzes and republishes publicly available information.” According to the ACLU, “Clearview can gather information from the public internet and it can run a search engine without violating BIPA. What it cannot do is capture Plaintiffs’ faceprints, or ‘scan[s] of … face geometry,’ … without their knowledge or consent.”

The court agreed with the plaintiffs that “[w]hile the photographs may have been posted to the internet, the additional conduct of harvesting plaintiffs’ nonpublic, personal biometric data violated BIPA.” This additional conduct “presents grave and immediate danger to privacy, individual autonomy, and liberty.” The court found Clearview AI’s process in creating its database involves both speech and nonspeech elements, and the court therefore applied an intermediate strict scrutiny approach under United States v. O’Brien. Finding the O’Brien elements were satisfied, the court found (1) BIPA furthered an important government interest, (2) the interest was unrelated to the suppression of free expression, and (3) any incidental restriction on speech was no greater than necessary to further that interest. (The first O’Brien prong — that BIPA was within Illinois’ power to enact — was uncontested and therefore not analyzed.) The court accordingly denied Clearview AI’s motion to dismiss on First Amendment grounds.

Clearview AI raised a smattering of other arguments in support of its motion to dismiss, most of which the court rejected. Specifically, it denied the motion relating to arguments based on (1) extraterritoriality, (2) the dormant clause, (3) whether BIPA excluded information derived from photographs, (4) the defendants sued in their individual capacities as personal participants, (5) piercing Rocky Mountain Data Analytics LLC’s corporate veil to reach its parent, Clearview AI, (6) whether the plaintiffs sufficiently stated that the defendants sold or profited from the plaintiffs’ information, (7) Article III standing, (8) Virginia’s statute prohibiting unauthorized use of pictures, (9) the Virginia Computer Crimes Act, (10) the common law right to publicity under California law, (11) the right to privacy under the California Constitution, (12) New York’s Civil Rights Act, (13) unjust enrichment under Illinois, Virginia, and California law, and (14) the failure to state a claim for declaratory and injunctive relief.

The court granted Clearview AI’s motion to dismiss the claims (1) to pierce Clearview AI’s veil to reach its co-founders, (2) under California’s Unfair Competition Law, and (3) for unjust enrichment under New York law (as it was preempted by New York’s Civil Rights Act).

Clearview AI’s overwhelming rejection on Valentine’s Day pulls on one’s heart strings, but don’t lose hope. There’s always the merits …

Troutman will continue to follow this case and bring you updates as the litigation progresses.