Jumio looks to settle biometric data privacy class action for $7M
![Jumio looks to settle biometric data privacy class action for $7M](https://d1sr9z1pdl3mb7.cloudfront.net/wp-content/uploads/2018/07/09115731/BIPA-1024x576.jpg)
Jumio has reached a proposed $7 million settlement in a class action lawsuit filed under the Biometric Information Privacy Act (BIPA) of Illinois, for performing facial biometric processes with its NetVerify service, allegedly without meeting the informed consent requirements of the state. Notice of the proposed settlement has been posted online by law firm KCC, in which Jumio vigorously denies that it violated the law.
The previously unreported lawsuit applies to state residents whose biometrics, specifically face geometries, were captured by Jumio, its technology, or any parents, subsidiaries, or agents, between December 21, 2013, and December 23, 2019, at which point the company updated its Privacy Policy for Online Services to include special information for Illinois residents. The new information makes explicitly clear its policies for the collection, transmission, storage and retention of biometric information.
While Jumio does not perceive any violation of the law, the company acknowledges the importance of biometric data privacy, VP of Global Marketing Dean Nicolls told Biometric Update in a telephone interview. For that reason, notwithstanding that the role of Jumio’s business customers is a separate matter, legally speaking, the company wanted to do right by its customers and their end users, leading to the settlement.
Nicolls draws an analogy to the data controller and data processor roles articulated in the EU’s GDPR, which makes the responsibilities of each somewhat clearer than they are in BIPA. The matter is complicated not just by the differences between states, but also by Jumio offering its technology through an SDK, as most other onboarding companies do, or an API, which leaves more control over messaging, and therefore informed consent for biometrics collection, in the hands of the customer implementing it.
“For any of our customers, or really any customers out there that collect biometrics, there are two things that you need to do,” he explains. “First you need to update the privacy policy on your website to reflect that they’re collecting biometric information for a very specific purpose, which is identity verification. There’s more nuance there and they have to contact their attorneys to come up with the right wording, but that’s one thing that they need to do. The other part is they need to provide clear opt-out language before the biometric is actually captured.”
In addition to its privacy policy, Nicolls notes Jumio has updated its SDK to include a specific notice to Illinois residents, and that it is working with its current customers that operate in Illinois to help them make sure any necessary changes are made.
“It’s something we’re going to weather just fine,” Nicolls contends. “We actually believe in the principles of BIPA, we believe that people should have choice and they should be able to opt out, and we’re doing everything in our power to protect our customers as best we can.”
Options for potential class members in the settlement of Prelipceanu v. Jumio Corporation are to accept the settlement, exclude themselves from it, object to the settlement, or do nothing. Exclusions and objections must be received by the court by February 26, while acceptances can be received until March 22.
BIPA lawsuits have typically targeted employers or consumer-facing companies, rather than their technology partners, as the responsibilities of technology providers under the regulation are not clear, and there is precedence indicating vendors are not liable for BIPA consent violations.
Facebook recently settled a BIPA class action for $550 million, in a case that helped establish the low standing requirements for BIPA’s procedural violations.
Suits filed, dismissed and challenged in court
A typical BIPA suit, a potential class action against an employer over the use of a fingerprint biometric time and attendance system without meeting the Act’s informed consent requirements, has been dropped. Javier De La Rosa had his request to dismiss the federal court suit against his former employer Choice Hotels International without prejudice granted, Law360 reports. Details of why he has now dropped the suit were not provided, but the dismissal without prejudice means it could be refiled, likely in a different venue.
A similar suit has been brought against pharmaceutical packaging company Nosco Inc., according to a separate Law360 article, with a former employee filing in Cook County Circuit Court.
WeWork, meanwhile, is seeking a dismissal of the BIPA consent violation suit filed against it in the federal court for the Northern District of Illinois on grounds that the allegation does not show a specific violation, and may not meet the one-year statute of limitations, according to Bloomberg Law.
Biometric vending machine company Canteen’s parent company Compass Group USA has also had a potential class action suit filed against it for allegedly failing to meet BIPA’s informed consent standards, Kiosk Marketplace reports. The suit filed in Cook County Circuit Court claims no data retention or deletion policy was shared by the company.
The settlement of its BIPA lawsuit by Facebook in a case that the U.S. Chamber of Commerce claimed could cause “devastating harm” to business could amount to damages of a couple of hundred dollars per user, the Chicago Tribune reports.
Attorney Jay Edelson, who represents some plaintiffs, expects a record number of claims to be filed, while another, Paul Geller, estimated 5 to 6 million Facebook users could be included. At 5.5 million users, the settlement would amount to $100 each.
“We decided to pursue a settlement as it was in the best interest of our community and our shareholders to move past this matter,” said Facebook spokesperson Dina El-Kassaby in a statement.
Article Topics
biometric data | Biometric Information Privacy Act (BIPA) | biometrics | data collection | facial recognition | identity verification | Jumio | lawsuit | legislation | privacy
Comments