Lawsuit alleges biometric privacy violations from face recognition algorithm training

Allegations that the Ever cloud photo service violated Illinois’ stringent biometric data privacy regulations have made Paravision the latest biometrics provider to face a civil suit under the statute.

Illinois resident Lynette Walton claims in a suit filed in California federal court that she used the Ever photo storage service, and the company used her images to train its facial recognition algorithms. The plaintiff is seeking class actions status, and the maximum damages of $5,000 per violation plus attorney’s fees.

The suit is filed in California federal court presumably because Paravision does not have offices or specifically market its service to people in Illinois, making it unlikely that state court would have jurisdiction, based on precedence.

The plaintiff alleges that she began using the service in 2017, and that the company profited from biometric processing of her images, through training its algorithm, without meeting BIPA’s informed consent requirements. These allegations are behind the plaintiff’s three related claims of statutory violations.

Ever AI updated its privacy policy in 2019 to note that uploaded images could be used in algorithm training, shortly before an NBC News report suggested images from Ever’s cloud service had been used to train the company’s facial recognition. The company shifted its focus to biometrics and rebranded to Paravision soon after, and announced it would shutter the free service and would not use the data uploaded to it for any purpose in August.

The suit is striking in its similarity to the series of suits alleging BIPA violations by tech giants and one biometrics-focused company, FaceFirst, in the course of their use of a dataset created to reduce or eliminate bias in facial recognition. It is not yet clear if BIPA applies to algorithm training (even if Paravision did use the plaintiff’s images to do so, which is unproven), because individuals are not identified during the process.

Google’s recent motion to dismiss the suit against it on the grounds that any alleged actions in violation of BIPA did not occur in Illinois could also apply to Paravision.

Whether alleged procedural violations are sufficient to establish standing in federal court is also somewhat uncertain, as previous rulings have gone either way in similar cases.

David Oberly of Blank Rome’s new Biometric Privacy Team recently wrote in a Biometric Update guest post that with the legal landscape around facial recognition shifting rapidly, there are some pro-active steps companies can take to limit their risk of legal exposure.

Article Topics

algorithms  |  biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data protection  |  facial recognition  |  lawsuit  |  legislation  |  privacy  |  training