Google hit with new biometric data privacy class action under BIPA
On the heels of a proposed $550 million settlement that Facebook recently agreed to settle lawsuits under the controversial Illinois Biometric Information Privacy Act (BIPA), a deal which is still subject to the approval of U.S. District Judge James Donato of the United States District Court Northern District Of California, Google was being served with a class-action lawsuit alleging it, too, has violated BIPA.
“The amount in controversy exceeds $5 million exclusive of interest and costs … for damages and other legal and equitable remedies resulting from the illegal actions of Google in collecting, storing, and using the Plaintiff’s and other similarly-situated individuals’ biometric identifiers and biometric information without informed written consent, in direct violation of BIPA,” the class action suit alleges.
At the same time, Google was being slammed with the class action suit in the same Federal District Court, U.S. District Judge James Donato of the Northern District of California presiding over the Facebook suit asked lawyers at a hearing last Thursday to provide detailed explanations of why the deal would pay class members less than statutory damages amounts.
BIPA requires any business that collects and stores state residents’ biometrics – facial recognition photos and related files, fingerprints, iris scans, and DNA must provide details on how this Personally Identifiable Information – biometrics – is stored and protected. Violations of the law carry statutory penalties of $1,000 for negligent violations and $5,000 for violations deemed intentional or reckless.
On the heels of the May 2018 enactment of the European Union’s General Data Protection Regulation, known as GDPR, the French government fined Google approximately $57 million for allegedly failing to clearly explain how it uses its consumers’ personal information.
The class-action suit that was filed just this past week noted that “The Illinois Legislature has found that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
“In recognition of these concerns over the security of individuals’ biometrics – particularly in the City of Chicago, which was selected by major national corporations as a ‘pilot testing site’ for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias, the Illinois legislature enacted BIPA, which provides, inter alia, that a private entity like Google may not obtain and/or possess an individual’s biometrics unless it: (1) informs that person in writing that biometric identifiers or information will be collected or stored … (2) informs that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used … (3) receives a written release from the person for the collection of his or her biometric identifiers or information … and (4) publishes publically available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information.”
Consequently, in interpreting the BIPA statute and spirit, the class-action suit states that “In direct violation of each of the foregoing provisions of § 15(a) and § 15(b) of BIPA, Google is actively collecting, storing, and using — without providing notice, obtaining informed written consent, or publishing data retention policies — the biometrics of millions of unwitting individuals whose faces appear in photographs uploaded to Google Photos in Illinois.”
“Specifically,” the suit alleges, “Google created, collected, and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face prints’) – highly detailed geometric maps of the face – from millions of Google Photos users. Google creates these templates using sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces that appear in photos taken on Google Android devices and uploaded to the cloud-based Google Photos service. Each face template that Google extracts is unique to a particular individual, in the same way that a fingerprint or voiceprint uniquely identifies one and only one person.”
The four attorneys who filed the class-action suit, Tina Wolfson, Robert Ahdoot, Theodore W. Maya, and Bradley K. King of the Los Angeles-based law firm Ahdoot & Wolfson, PC, argued “Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face – all without ever informing anyone of this practice” and creating facial templates “without obtaining informed written consent.”
The class-action lawsuit was brought “individually and on behalf of all other similarly-situated individuals to prevent Google from further violating his and class members’ privacy rights, and to recover statutory damages for Google’s unauthorized collection, storage, and use of these individuals’ biometrics in violation of BIPA.”
The suit’s primary plaintiff is Brandon Molander, a resident, and citizen of Illinois. According to the suit, “There are more than 100 putative class members … of different states.” The Counsel for Plaintiff and the Putative Class is attorney David P. Milian of the Miami, Florida-based law firm, Carey Rodriguez Milian Gonya, LLP.
In alleging “Google Violates Illinois’s Biometric Information Privacy Act,” the class action litigation states “in May 2015, Google announced the release of its photo sharing and storage service called Google Photos. Users of Google Photos upload millions of photos per day, making photographs a vital part of the Google experience. The Google Photos app, which comes pre-installed on all Google Android devices, is set by default to automatically upload all photos taken by the Android device user to the cloud-based Google Photos service. Users can also connect other devices to Google Photos to upload and access photos on the cloud-based service.”
But, the suit argues, “Unbeknownst to the average consumer, and in direct violation of § 15(b)(1) of BIPA, Google’s proprietary facial recognition technology scans each and every photo uploaded to the cloud-based Google Photos for faces, extracts geometric data relating to the unique points and contours (i.e., biometric identifiers) of each face, and then uses that data to create and store a template of each face – all without ever informing anyone of this practice,” pointing out that “the cloud-based Google Photos service uses these face templates to organize and group together photos based upon the particular individuals appearing in the photos.”
“This technology works by comparing the face templates of individuals who appear in newly-uploaded photos with the facial templates already saved in Google’s face database. Specifically, when a Google Photos user uploads a new photo, Google’s sophisticated facial recognition technology creates a template for each face depicted therein, without consideration for whether a particular face belongs to a Google Photos user, and then compares each template against Google’s face template database. If there is a match, then Google groups the photo from which the newly-uploaded face template was derived with the previously uploaded photos depicting that individual.”
It’s “these unique face templates [that] are not only collected and used by Google Photos to identify individuals by name, but also to recognize their gender, age, and location,” the suit states. “In direct violation of §§ 15(b)(2) and 15(b)(3) of BIPA, Google never informed Illinois residents who had their face templates collected of the specific purpose and length of term for which their biometric identifiers or information would be collected, stored, and used, nor did Google obtain a written release from any of these individuals.”
Also, “In direct violation of § 15(a) of BIPA, Google does not have written, publicly available policies identifying its retention schedules, or guidelines for permanently destroying any of these biometric identifiers or information.”
In comes the initial plaintiff, Brandon Molander, whom the suit says “first signed up for a Google Photos account approximately five years ago,” and that “since first signing up, Plaintiff Molander has used his smartphone devices to take and upload numerous photos in the state of Illinois to his cloud-based Google Photos account,” which “contains dozens of photos depicting … Molander that were taken with his smartphone and automatically uploaded in Illinois to Google Photos.”
“These photos were all uploaded to the cloud-based Google Photos service while his smartphone was located in the state of Illinois and assigned an Illinois-based IP address,” the suit continues to lay out its argument, noting that the photos were “immediately uploaded to the cloud-based Google Photos storage service [where] Google analyzed these photos by automatically locating and scanning Plaintiff Molander’s face, and by extracting geometric data relating to the contours of his face and the distances between his eyes, nose, and ears – data which Google then used to create a unique template of Plaintiff Molander’s face.”
“The resulting unique face template was used by Google to locate and group together all photos depicting Molander for organizational purposes;” his “face template was also used by Google to recognize” his gender, age, race, and location; and “Molander never consented, agreed or gave permission – written or otherwise – to Google for the collection or storage of his unique biometric identifiers or biometric information.”
“Further, Google never provided Molander with nor did he ever sign a written release allowing Google to collect or store his unique biometric identifiers or biometric information,” the suit lies out, adding, “Likewise, Google never provided Molander with an opportunity to prohibit or prevent the collection, storage, or use of his unique biometric identifiers or biometric information. Nevertheless, when photos of Molander were automatically uploaded to Google Photos from within the state of Illinois, Google located Molander’s face in the photos, scanned [his] facial geometry, and created a unique face template corresponding to” him – “all in direct violation of BIPA.”
As concerning the size of the class, the suit states “Although the exact number of Class members is uncertain, and can only be ascertained through appropriate discovery, the number is great enough such that joinder is impracticable, believed to amount to millions of persons. The disposition of the claims of these Class members in a single action will provide substantial benefits to all parties and the Court.”
And this is where the rules of discovery come into play in a revelatory manner Google is likely to find unnerving, especially because the suit asks for “awarding statutory damages of $5,000.00 for each and every intentional and reckless violation of BIPA under 740 ILCS 14/20(2), or alternatively, statutory damages of $1,000.00 for each violation pursuant to 740 ILCS 14/20(1) if the Court finds that Google’s violations were negligent.”
That could be a load of money, much like – if not more than – what Facebook has proposed to settle the suit against it for, and both cases are intricately intertwined in context and perspective.
As the suit explains, “Information concerning the exact size of the putative class is within the possession of Google. The parties will be able to identify each member of the Class after Google’s document production and/or related discovery.”
Also, there’s the matter of “commonality. “Common questions of fact and law exist as to all Class members and predominate over any questions that affect only individual Class members,
including by example only and without limitation, the following:”
• Whether Google collected or otherwise obtained Plaintiff’s and the Class’s biometric identifiers or biometric information;
• Whether Google properly informed Plaintiff and the Class that it collected, used, and stored their biometric identifiers or biometric information;
• Whether Google obtained a written release (as defined in 740 ILCS 1410) to collect, use, and store Plaintiff’s and the Class’s biometric identifiers or biometric information;
• Whether Google developed a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of their last interaction, whichever occurs first;
• Whether Google used Plaintiff’s and the Class’s biometric identifiers or biometric information to identify them; and
• Whether Google’s violations of BIPA were committed intentionally, recklessly, or negligently.
Continuing, the suit noted that, “typicality – all of Plaintiff’s claims are typical of the claims of the proposed Class they seek to represent in that: Plaintiff’s claims arise from the same practice or course of conduct that forms the basis of the Class claims; Plaintiff’s claims are based upon the same legal and remedial theories as the proposed Class and involve similar factual circumstances; there is no antagonism between the interests of Plaintiff and absent Class members; the injuries that Plaintiff suffered are similar to the injuries that Class members have suffered.
The class-action suit cites several precedential cases and issues. For example, it states “The use of facial recognition technology in the commercial context presents numerous privacy concerns” noting that “during a 2012 hearing before the United States Senate Subcommittee on Privacy, Technology, and the Law, U.S. Senator Al Franken stated that ‘there is nothing inherently right or wrong with [facial recognition technology, but] if we do not stop and carefully consider the way we use [it], it may also be abused in ways that could threaten basic aspects of our privacy and civil liberties.’ Senator Franken noted, for example, that facial recognition technology could be ‘abused to not only identify protesters at political events and rallies but to target them for selective jailing and prosecution.’”
The suit also cited that “the Federal Trade Commission has raised similar concerns, and recently released a ‘Best Practices’ guide for companies using facial recognition technology. In the guide, the Commission underscores the importance of companies’ obtaining affirmative consent from consumers before extracting and collecting their biometric identifiers and biometric information from digital photographs.”
Now, will the Facebook matter be an influencer? That’s a question that’s being asked … and watched closely by observers and practitioners in the biometrics legal space.
While the settlement Facebook agreed to in which it would put $550 million cash into a fund for the plaintiffs, in January 2018 Donato certified a class of potentially 6 million Illinois Facebook users as plaintiffs in the case and consolidated the three separate lawsuits that had been filed by Chicago-based Edelson PC (known for its litigious privacy-related cases and who first exposed Facebook’s potential violations of BIPA) Labaton Sucharow LLP and Robbins Geller Rudman & Dowd LLP, a move which was upheld by the Ninth Circuit Court of Appeals following Facebook having managed to get the lawsuit temporarily transferred from Illinois to California in what was widely seen as a blatant attempt to have the suit tossed out entirely.
The Northern California District Court, though, had a much different take, paving what seemed to be an inevitable road toward a jury trial that Facebook did not want. Then, magically, Facebook and the plaintiffs agreed on the biggest monetary settlement of its kind in a private lawsuit, which all parties credited to former President Obama Special Counsel Jeff Bleich for having mediated. Bleich is a former United States Supreme Court law clerk and was Special Counsel to President Obama, and the U.S. Ambassador to Australia.
However, the proposed settlement agreement must still be approved by Judge Donato, who pointedly questioned attorneys at the hearing why the proposed settlement would only recompense less than the $1,000 in statutory damages for negligent violations required by BIPA. “The phrase litigation risk is not sufficient,” he said, seeming to emphasize his point that “every case has litigation risk.”
The 9th U.S. Circuit Court of Appeals, however, earlier ruled that the issue is merely one of a breach of the class’s privacy rights, and that based on the claims rate class members may end up with $200 without having had to disclose any actual damages.
The plaintiffs will now ask the District Court to give preliminary approval of the settlement and order that notice is sent to the Illinois class.
In a statement seemingly directed at Judge Donato’s comment from the bench, the class counsel from Edelson, Robbins Geller Rudman & Dowd and Labaton Sucharow said the deal will provide more cash to each class member than any other previous privacy settlement.
Jay Edelson of Edelson PC said in a statement following the hearing that, “Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation. We are proud of the strong team we had in place that had the resolve to fight this critically important case over the last five years. We hope and expect that other companies will follow Facebook’s lead and pay significant attention to the importance of our biometric information.”
Paul Geller, who heads the consumer protection arm of Robbins Geller — a plaintiffs’ firm widely known for record-breaking class-action verdicts and settlements – stated: “This case should serve as a clarion call to companies that consumers care deeply about their privacy rights and, if pushed, will fight for those rights all the way to the Supreme Court and back until they are justly compensated.”
He added, “Consumers are recognized, identified and surveilled more than we like and certainly more than we know. While I applaud advances in technology, now more than ever we can’t lose sight of the need to protect our civil liberties and right to privacy.”
Interestingly as an aside, the court has created a specific section on its website on the Facebook suit and imposed rather unusual, if not necessarily typical, restraints on the media covering it. “Neither the court’s public information staff nor individual judges will comment on individual cases. Such inquiries should be directed to attorneys in the case. Attorneys are listed on the case docket,” a notice says. Also, it states “The court no longer issues news releases containing court-related news; rather, court news is posted in the ‘Notices’ section of the court’s homepage.”
“Illinois enacted a statute not to thwart innovation, but to protect individuals’ privacy,” commented Labaton Sucharow Head of Consumer Cybersecurity Michael Canty. “As technology advances, corporations must be mindful of the privacy of their customers and comply with the law.”