Illinois Federal Judge Delivers Another Win For BIPA Defendants

Chicago, Ill. (August 8, 2024) - Key Points: In G.T., et al. v. Samsung Electronics America, Inc., et al., No. 21-CV-4976, 2024 WL 3520026 (N.D. Ill. July 24, 2024), an Illinois federal judge dismissed claims brought under the Illinois Biometric Information Privacy Act (“BIPA”). The decision is significant because it narrows the scope of conduct and data that can expose a business to liability under the statute. The decision is particularly important for companies engaged in technology design, sales, or licensing, especially those that do not handle or store any ‘biometric’ data generated by customer use.

Background:

Illinois residents using Samsung smartphones and tablets filed claims against Samsung Electronics America, Inc. and Samsung Electronics Co., Ltd. The lawsuit alleges that Samsung’s pre-installed facial recognition technology in the Gallery photo application (the "Application") violates BIPA. Specifically, the Application scans images for faces using proprietary facial recognition technology, creating face templates and organizing photos based on similar faces. The plaintiffs argue that this process collects biometrics, in violation of the statute.

The District Court’s Decision:

A. Whether Samsung Possessed and Collected Biometric Data

Regarding Samsung’s first argument, the parties disagreed as to “whether a private entity is in possession of biometrics when it creates and controls technology that purportedly generates biometrics, even if the entity does not receive or access the data.” To address this disagreement, the Court first began by analyzing what it means to “possess” biometric data under §15(a) of BIPA and to “collect, capture, or otherwise obtain” biometric data under §15(b). In the context of BIPA, the court found that “possession” occurs when someone exercises “any form of control of the [biometric] data or held the data at his disposal.” To “collect, capture, or otherwise obtain” biometric data under BIPA, the court explained that this requires someone/something “to gain control” of biometrics and to take an “active step” towards receiving the biometrics.

As for possession, the plaintiffs contend that Samsung is in possession because “Samsung has complete and total control over the biometric data surreptitiously captured using proprietary software that Samsung owned and alone controlled, preventing users from turning it off or disabling it.” The Court disagreed, concluding that the plaintiffs have not adequately alleged that Samsung was “in possession” of their biometrics and that, although Samsung controls the Application and its technology, Samsung did not have “dominion over the Biometrics generated from the App[lication], and plaintiffs have not alleged Samsung receives (or can receive) such data.” Ultimately, the Court concluded that the “salient inquiry for determining possession under Section 15(a) is “whether the entity exercised control over the Biometrics, not whether it exercised control over the technology generating the Biometrics.”

As for the plaintiffs’ Section 15(b) claim, the plaintiffs alleged that Samsung took an “active step” to obtain their biometrics by designing the Application to “automatically harvest[] biometric data from every photo stored on the Device and not only conceals this from users, but prevents them from disabling the process or destroying that information.” The Court disagreed, noting that Section 15(b) concerns private entities “collecting, capturing, or obtaining Biometrics, not creating technology.” The plaintiffs failed to allege that Samsung received the data the Application collects, or that Samsung could access that data. Further, the plaintiffs failed to allege that Samsung took any action towards the data at all once the data was generated. For those reasons, the Court rejected the plaintiffs’ argument. (“Plaintiffs argument again conflates technology with Biometrics …. Plaintiffs do not argue that Samsung possesses the Data or took any active steps to collect it. Rather, the active step according to Plaintiffs is the creation of the technology.”).

B. Whether the Data is “Biometric”

Turning to Samsung’s second argument to support dismissal, it explained that “the App[lication] does not generate ‘biometric identifiers’ or ‘biometric information’ subject to BIPA’s regulation” because the information cannot be used to identify the plaintiffs. In response, the plaintiffs argued that the Application “scans facial geometry, which is an explicitly enumerated biometric identifier” and that the Application’s “storage of Data (mathematical representations of face templates) constitutes biometric information.”

The Court explained that “Samsung has the better argument.” While the Court acknowledged the split regarding what meaning should be given to the word “identifier” in “biometric identifier,” the Court followed the “line of cases that require biometric information to be capable of recognizing an individual’s identity, not simply an individual’s feature.” Specifically, the Court concluded that BIPA only covers those “retina or iris scan[s], fingerprint[s], voiceprint[s], or scan[s] of hand or face geometry” that are capable of identifying an individual. The Court explained that plaintiffs failed to allege that the Application’s technology is capable of identifying a person’s identity, instead alleging only that the Application grouped unidentified faces together, and it is the “Device user who (has the option to) add names to the faces.” These allegations were insufficient to demonstrate that the data constitutes a biometric identifier or biometric information.

Impacts of the Decision:

The G.T. v. Samsung decision provided a much-needed clarification for BIPA defendants, confirming the majority position of courts that a company must actually receive or access the data in order to be “in possession of” and “collect” it within the meaning of BIPA. The same holds true even if the entity, like Samsung, created and controlled the technology that generated the alleged biometric data. In addition, the G.T. opinion confirmed the position of the Ninth Circuit’s decision in Zellmer v. Meta Platforms, Inc., which held that a “biometric identifier” must be capable of identifying a specific person. Zellmer v. Meta Platforms, Inc., 104 F.4th 117, 1125 (9th Cir. 2024).

Lewis Brisbois has been on the cutting edge of BIPA litigation defense and compliance services, establishing the country’s first dedicated BIPA practice, chaired by Chicago Partners Mary Smigielski and Josh Kantrow. Our BIPA team stands ready to defend businesses facing BIPA claims and assist with BIPA compliance obligations. For more information on this decision, contact the author or editors of this alert. Visit our Illinois BIPA Practice page to learn more about Lewis Brisbois’ capabilities in this area.

Author:

Cameron Liljestrand, Associate

Editor:

Josh M. Kantrow, Partner and Co-Chair of Illinois BIPA Practice