Macy’s blasts ‘legal gamesmanship’ in biometric data privacy suit, seeks dismissal
A lawsuit alleging the use of Clearview AI’s face biometrics service by Macy’s Retail Holdings in violation of the Illinois Biometric Information Privacy Act (BIPA) should be thrown out over “blatant forum-shopping,” plus the plaintiff’s failure to allege that their data was ever collected, accessed or otherwise used by the company, according to a defense motion to dismiss.
Law Street Media reports that the plaintiff had attempted to include Macy’s in the multi-district litigation (MDL) currently underway against Clearview, prompting the retailer to accuse plaintiffs of “legal gamesmanship.”
The motion notes that the case against Macy’s was the only one involving Clearview which was not consolidated with the rest last December. Plaintiff Isela Carmean voluntarily dismissed her complaint just before her opposition brief was due in an initial suit, and has since refiled it as part of the consolidated compliant without requesting the court transfer the original case to the MDL.
Courts have previously determined that an ongoing, underlying case is necessary to add a plaintiff or defendant to an MDL, Macy’s argues in a brief in support of its motion.
Carmean also did not allege that she had visited a Macy’s store, where her biometrics could have been collected, the company says.
Legal status of biometric data scraping uncertain
Experts tell Law360 that using automated software to collect data from websites, as Clearview did to build its biometric database of billions of images, may not fall afoul of GDPR, let alone American data breach laws.
Data scraping incidents involving Facebook and LinkedIn in Ireland and Italy, respectively, are being investigated, but each company says it has not suffered a data breach, and has emphasized that the data harvested was marked ‘public.’
University of Colorado Law School Silicon Flatirons Center Executive Director Amie Stepanovich notes that U.S. data breach laws consider personal data in a fairly limited sense.
“Information that might not seem on its own to be sensitive or worth notifying people over can become sensitive when combined with other data,” Stepanovich tells Law360. “We need to open our thinking as to when people need to be notified when their information is compromised, regardless of whether the compromise stems from a ‘security breach’ or whether that data is ‘publicly available.'”
Facebook says cracking down on data scraping without diminishing the social network’s user experience would be practically impossible.
Kronos stay rejected
Courts are hearing arguments related to BIPA’s statute of limitations in Tims v. Black Horse Carriers Inc. and Cothron v. White Castle, according to Kronos, but an Illinois federal judge rejected the request on grounds that Kronos waited too long to file for the stay.
A decision may come soon in the White Castle case, in which plaintiffs allege that each individual biometric verification counts as a separate violation of BIPA. An amicus brief filed by the Restaurant Law Center and the Retail Litigation Center Inc. argues that such an interpretation overreaches the text of the Act. White Castle has argued the suit was filed after the statute of limitations had already expired.