On April 25, 2022, in Sosa v. Onfido, Inc., the U.S. District Court for the Northern District of Illinois held that faceprints derived from photographs are biometric identifiers and should be regulated under the Illinois Biometric Information Privacy Act (BIPA). This case is significant, as photographs have generally been exempted from BIPA. However, the court distinguished normal photographic images from facial geometric scans, similar to fingerprint scans.
BIPA was enacted in 2008 to regulate the collection, use, and handling of biometric identifiers by private entities. BIPA requires companies to comply with requirements including:
- Notice and Consent.Under Section 15(b) of BIPA, an entity is not permitted to collect or obtain biometrics unless it: (1) provides notice to the individual that biometrics are being collected, the purpose of collection, and the length of time the information will be collected, stored, or used; and (2) obtains the individual’s written consent.
- Written Policy.Under Section 15(a) of BIPA, an entity collecting or using biometric information is required to have a written policy establishing the retention schedule and guidelines for the destruction of biometric identifiers.
The most striking part of BIPA is that it provides a private right of action to anyone who believes their rights under the act were violated, and there have been multiple actions, including class action lawsuits. Plaintiffs often point to photographs in biometrics claims, but defendants have been able to assert that these were outside the scope of BIPA – until now.
Overview of the Case
The defendant in the case is a facial recognition software company; the software is used by online businesses to verify consumers' identities. The plaintiff, an Illinois citizen, purchased goods through an online marketplace that used the software. The plaintiff verified his identity scanned his face, extracted a unique numerical representation of the geometry of the facial image (often called a “faceprint”), and compared the faceprint to the plaintiff’s driver’s license. It also retained the faceprint in its database.
The plaintiff sued Onfideo under Section 15 of BIPA, arguing that he did not receive notice that the software collected, stored, or used his faceprint, he did not provide written consent, and was not informed about the software’s retention or deletion practices for the faceprint.
The court found that the data taken by the software was a biometric indicator, which under the statute means "a retina or iris scan, fingerprint, voiceprint, or scan of face geometry." While the court acknowledged that BIPA specifically excludes photographs, it distinguished this as a geometric scan used to compare the uploaded photo and the driver’s license, which is a biometric identifier under BIPA.
We expect that BIPA litigation in this area will increase after this ruling, and the parameters of what may be covered will continue to be tested. Companies using identification verification services, including third party software, should review the technology carefully to confirm whether facial geometry is being used.
Additionally, companies should be preparing for similar BIPA regulations to begin popping up in other states. Lawmakers in multiple states, often in response to constituent concerns, are working to limit how biometric information is acquired, used, and stored.
For questions, reach out to any of the authors of this article, or your local Baker Botts attorney.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.