January 8, 2016 -
A federal judge in Illinois is allowing a lawsuit against Shutterfly Inc. to proceed despite the company’s claims that its tagging software does not break state privacy law, according to a report in the International Business Times.
This is the first time any court has interpreted an Illinois statute that prohibits companies from collecting and storing biometric data without first obtaining informed written consent. Illinois state lawmakers passed the Biometric Information Privacy Act, or BIPA, in 2008.
Shutterfly argued that the Illinois Biometric Information Privacy Act (BIPA) does not pertain to “photographs and any information gleaned from photographs” as they “cannot be biometric identifiers”. But that wasn’t enough to get the lawsuit dismissed.
Facebook, who is facing a similar lawsuit, has also argued that the lawsuits against it are without merit because the Illinois Biometric Information Privacy Act does not bar companies from storing photos of faces or data generated from photos, but rather, only applies to faceprints that stem from in-person scans.
Currently, Illinois and Texas are the only states with legislation addressing biometric capture for commercial purposes.
The Texas law is similar to BIPA in that it requires companies to inform and receive consent from the subject before collecting any biometric data. However, it does not specify the exact form the notice and consent must take and states that lawsuits must be brought by the state and not individuals.
Although there are a handful of other states that have similar legislation pending, including Alaska and Washington, the outcome of Shutterfly’s lawsuit, as well as others that are likely to soon follow, may influence other states as they work towards implementing new privacy laws that address biometric technologies.
“Currently, Illinois is the only state to allow private citizens to sue,” David Milian, lead partner in the case at Carey Rodriguez, said in a statement. “The data privacy concerns are enormous. You can always change your password or get a new credit card or Social Security number if these websites are hacked, but you can’t change your facial geometry.”
The Illinois statute, which also covers iris and fingerprint scans, provides for recoveries of $5,000 for each violation.