2024 BIPA Developments: What is a Biometric Identifier and Biometric Information?

Chicago, Ill. (July 25, 2024) - It has been another busy year for developments under the Illinois Biometric Information Privacy Act, 740 ILCS 14 et seq. (BIPA), with three recent decisions providing key insight into the scope and contours of the statute - specifically concerning what constitutes a biometric identifier/biometric information.

1. Zellmer v. Meta Platforms, Inc., 2024 U.S. App. LEXIS 14619 (9th Cir. June 17, 2024)

In Zellmer v. Meta Platforms, a panel of the Ninth Circuit Court of Appeals, a traditionally liberal court, affirmed the district court’s grant of summary judgment in favor of Facebook — now Meta Platforms, Inc. (Meta) — on plaintiff Clayton Zellmer’s claim that Facebook violated BIPA by collecting or capturing his biometric identifiers when it created “face signatures” for the Facebook Tag Suggestions feature.

a. The District Court Dismissed Plaintiff’s BIPA Claims

Zellmer, a non-user of Facebook, sued Facebook after his friends uploaded photographs of him to the social media site, claiming that Facebook collected or captured his biometric identifiers when it created the “face signature” from the uploaded photographs. Specifically, Zellmer alleged a violation of BIPA Sections 14/15(a), which requires private entities to develop a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information, and 14/15(b), which requires private entities to obtain informed consent before collecting the biometric identifiers.

After discovery, the district court dismissed Zellmer’s Section 15(b) claim, reasoning that “it would be patently unreasonable to construe BIPA to mean that Facebook was required to provide notice to, and obtain consent from, non-users who were for all practical purposes total strangers to Facebook, and with whom Facebook had no relationship whatsoever.” The district court also dismissed Zellmer’s 15(a) claim based on lack of Article III standing because he did not suffer any particularized injury traceable to Facebook’s alleged failure to develop a policy. The filing of BIPA cases in which there is no injury has become commonplace since the explosion of BIPA litigation in recent years.

b. The Ninth Circuit Affirms on Other Grounds

The Ninth Circuit affirmed the district court’s ruling, but on different and significant grounds. It held that 15(b)’s language is clear that non-users are protected, regardless of any preexisting relationship with the party alleged to have violated the statute. However, the Ninth Circuit was required to answer the threshold question of “whether a face signature is either a biometric identifier or biometric information for BIPA purposes,” concluding it is neither. The Court held that “face signatures” are not biometric identifiers or biometric information under BIPA because they are not capable of identifying a person, a requirement under the plain language of BIPA. This determination was based on evidence in the record from a declaration of Facebook’s Product Manager that explained that a “face signature” cannot be used to identify anyone because it (1) is “an abstract, numerical representation of a face crop” that does not identify any information about the non-users; and (2) “cannot be reverse-engineered” to identify non-users.

The Ninth Circuit also affirmed the district court’s ruling that Zellmer lacked standing under BIPA Section 15(a). In affirming, the Ninth Circuit cited to the Seventh Circuit holding in Bryant v. Compass Grp USA, Inc., 958 F.3d 617 (7th Cir. 2020), that the duty to publish a policy is owed to the “public generally,” and Zellmer failed to explain how he or the proposed class members were harmed in a “concrete and particularized” way. The Court further held that Zellmer could not make the required showing because the data, i.e. the “face signature,” was not subject to BIPA in the first place.

The Zellmer decision provides significant support for the proposition that when data cannot identify individuals, that data, as a matter of law, does not constitute a biometric identifier or biometric information, and thus is not subject to regulation by BIPA.

2. Martell v. X Corp., 2024 U.S. Dist. LEXIS 105610 (N.D. Ill. June 13, 2024).

In Martell v. X Corp., plaintiff Mark Martell alleged that he uploaded a photograph of himself on X, formerly known as Twitter, which X then analyzed for nudity and other “not-safe-for-work” content using a Microsoft product called “PhotoDNA.” According to Martell’s allegations, PhotoDNA created a unique digital signature of the photograph, known as a “hash,” to compare against other photograph’s hashes, thus necessarily creating a scan of his facial geometry in violation of BIPA. X moved to dismiss, arguing, among other things, that the plaintiff failed to allege that PhotoDNA obtained a scan of face geometry as defined and required by BIPA because (1) PhotoDNA did not perform facial recognition, and (2) the hashes created by PhotoDNA are not biometric information or biometric identifiers under BIPA since they cannot be used to identify a person.

The court dismissed the plaintiff’s complaint. In ordering dismissal, the court rejected the plaintiff's “conclusory” assertion, noting that “[t]he fact that PhotoDNA creates a unique hash for each photo does not necessarily imply that it is scanning for an individual’s facial geometry when creating the hash.” The court distinguished the plaintiff’s allegation from BIPA complaints in which courts have found that a plaintiff plausibly alleged that the defendant collected their biometric identifier. The court explained that the plaintiff “did not allege facts indicating that the hash is a scan of face geometry, as opposed to merely a record of the photo” or aver that the “hash process takes a scan of face geometry,” instead summarily concluding that it must. Photos are not regulated by BIPA under the exclusions set forth in the statute.

The court also agreed with X that the complaint did not allege that the hashes could be used to identify individuals in photos and therefore were not biometric identifiers. The plaintiff unsuccessfully attempted to argue that “BIPA does not require that biometric identifiers be used to identify an individual because, unlike the definition for biometric information, the definition for biometric identifier does not include the ‘used to identify an individual’ language.” The court addressed that argument by considering the plain language of the term “biometric identifier,” dictionary definitions of “identifier,” and case law, holding that in order to qualify as a biometric identifier under BIPA, a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry must identify an individual. The court noted that the fatal flaw in the plaintiff’s claim was his failure to allege that any type of facial scan actually occurs during the hash creation process. Without that scan, there is necessarily no scan of face geometry which could be used to identify an individual as required by BIPA to be considered a biometric identifier.

In summary, the Martell decision confirms that in order to avoid dismissal, a plaintiff must allege, after proper presuit investigation and in accordance with the rules of professional conduct: (1) that a defendant’s technology scans individuals’ face geometry, as opposed to simply scanning photos; and (2) that the data generated from these face scans can be used to identify individuals in order to constitute biometric identifiers.

3. Tibbs v. Arlo Techs., Inc., 2024 U.S. Dist. LEXIS 113916 (N.D. Cal. June 27, 2024)

In Tibbs v. Arlo Techs., Inc., three plaintiffs who worked as delivery drivers for DoorDash and UPS sued Arlo, a home security company that offers security cameras supported by high quality video and artificial intelligence (“AI”) monitoring, for alleged violations of BIPA by collecting, storing, and scanning the drivers’ biometric identifiers with its cameras and software. Specifically, the plaintiffs alleged that the Person Detection feature “necessarily requires the collection of people’s facial, body, and hand geometry in both the infrared and visible light spectra to reliably distinguish people from animals.”

Arlo filed a motion to dismiss the plaintiffs’ claims. Arlo argued, among other things, that the plaintiffs failed to allege that Arlo collected or possessed “biometric identifiers” as defined by BIPA. Specifically, Arlo argued that the complaint failed to state a claim under BIPA because the plaintiffs failed to allege that Arlo’s infrared or visible light scans (1) can be used by Arlo to identify the plaintiffs, and (2) fall into the definition of “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” as required by BIPA but rather that “Arlo’s scans are ‘heat maps,’” which are not classified as a biometric identifier under BIPA.

The court disagreed, reasoning that the plaintiffs’ contention that the scans captured infrared and visible light data that Arlo’s technology then uses to “map[] peoples’ face geometry” was sufficient to allege at the pleading stage that Arlo captured data that fell within the definition of “biometric identifiers” under BIPA, namely “scan[s] of hand or face geometry.” In addition, the court further found that the plaintiffs plausibly alleged the necessary identification requirement for the data to be considered a “biometric identifier” under BIPA by averring that, according to Arlo’s own European patent, the company’s scans could be used to identify a specific person at a door and send a user a message.

The Tibbs decision is significant in its confirmation that to be covered by BIPA, the data that is captured must be able to identify individuals to satisfy the statute's definition of biometric identifier.

Lewis Brisbois has been on the cutting edge of BIPA litigation defense and compliance services, establishing the country’s first dedicated BIPA practice, chaired by Chicago Partners Mary Smigielski and Josh Kantrow. Our BIPA team stands ready to defend businesses facing BIPA claims and assist with BIPA compliance obligations. For more information on this decision, contact the author or editors of this alert. Visit our Illinois BIPA Practice page to learn more about Lewis Brisbois’ capabilities in this area.

Author:

Cameron Liljestrand, Associate

Editor:

Mary Smigielski, Partner and Co-Chair of Illinois BIPA Practice