Scope and contours of BIPA biometric ‘identifiers’ and ‘information’
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
One of the most significant unsettled issues in Illinois Biometric Information Privacy Act (BIPA) class action litigation pertains to the precise definition and scope of the terms “biometric identifiers,” “biometric information,” and “scans of face geometry” as they are used in BIPA.
Three recent BIPA decisions—Zellmer v. Meta Platforms, Inc., 2024 U.S. App. LEXIS 14619 (9th Cir. June 17, 2024), Martell v. X Corp., 2024 U.S. Dist. LEXIS 105610 (N.D. Ill. June 13, 2024), and Tibbs v. Arlo Techs., Inc., 2024 U.S. Dist. LEXIS 113916 (N.D. Cal. June 27, 2024)—directly address this critical area of uncertainty, offering key insight as to the specific contours of BIPA-regulated data. More than that, these decisions also provide several additional valuable lessons and takeaways that all companies should take into consideration to minimize the outsized legal risks and liability exposure associated with BIPA non-compliance.
Zellmer v. Meta Platforms, Inc.
In Zellmer v. Meta Platforms, Inc., Clayton Zellmer brought a putative BIPA class action against Facebook—now Meta Platforms, Inc.—alleging that Meta collected his biometric identifiers in violation of BIPA when it created a “face signature” from photos uploaded by his friends to the social media platform. A California federal district court granted summary judgment to Meta on Zellmer’s BIPA Section 15(b) claim, which turned on the “practical impossibility” of Meta’s ability to comply with BIPA if it was required to obtain consent from all non-users of the platform before using its now-defunct “Tag Suggestions” feature.
On appeal, the Ninth Circuit Court of Appeals affirmed the award of summary judgment, but on different grounds. Specifically, the appellate court held that Zellmer, a non-user of Facebook, could not maintain an actionable Section 15(b) claim against Meta because the “face signature” generated through Meta’s Tag Suggestions feature did not reveal any geometric information about faces or otherwise correspond to facial features. Instead, the face signature was merely an abstract, numerical representation that could not be reverse-engineered to display a face, which the court concluded did not constitute a biometric identifier—thereby removing the face signatures and Meta from compliance with BIPA altogether.
Martell v. X Corp.
In Martell v. X Corp., Mark Martell brought a putative BIPA class action against X (formerly Twitter), alleging that the company collected his biometric identifiers in violation of BIPA when it scanned and analyzed his uploaded photograph for inappropriate content using Microsoft’s PhotoDNA software. According to Martell, PhotoDNA created a unique digital signature of his photo, known as a “hash,” to compare against the hashes of other photographs—which “necessarily” generated a scan of his face geometry under BIPA.
X successfully challenged the BIPA claims at the pleading stage—resulting in dismissal of the action—due to Martell’s failure to set forth any plausible allegations in his complaint that PhotoDNA collected biometric identifiers, biometric information, or face geometry scans as those terms are used in BIPA. Similar to Zellmer, the Martell court reasoned that the plaintiff could not maintain an actionable BIPA cause of action against X because the complaint was devoid of any allegations that the data generated by PhotoDNA could be used to identify individuals depicted in the photos that were scanned by the tool. Because the complaint failed to allege that the PhotoDNA hashes comprised face geometry scans with the ability to identify individuals, the court dismissed the BIPA claims for failure to state a claim under Federal Civil Rule 12(b)(6).
Tibbs v. Arlo Techs., Inc.
In Tibbs v. Arlo Techs., Inc., three individuals who worked as delivery drivers for DoorDash and UPS brought a putative BIPA class action against Arlo Technologies, Inc.—a technology company that offers home security cameras with video and artificial intelligence (AI) monitoring capabilities—alleging that Arlo ran afoul of BIPA by capturing geometric scans of delivery drivers’ faces, bodies, and hands, in both infrared and visible light spectra, every time deliveries were made to a home equipped with an Arlo home security system. While Arlo’s offering did not include full facial recognition capabilities, it did provide a “Person Detection” feature that used AI to analyze camera scans and, among other things: (1) distinguish between humans and animals; and (2) allow homeowners to search their camera feeds for videos containing people.
The court held that these allegations were sufficient to state a plausible BIPA claim that the security cameras collected and used biometric identifiers. The Tibbs court reasoned the plaintiffs’ contention that the scans taken by the cameras captured infrared and visible light data, which was then used by the Arlo technology to map people’s face geometry, together alleged that Arlo captured data that fell within BIPA’s enumerated list of biometric identifiers—namely, scans of face or hand geometry. The court also found the plaintiffs’ allegations that, according to Arlo’s own patents, the company’s scans could be used to identify particular individuals, plausibly alleged the necessary identification requirement for the data to be considered a biometric identifier under BIPA. Combined, the court held that—at the pleading stage—these allegations formed a plausible claim that the scans captured by Arlo were BIPA-regulated “biometric identifiers,” thereby allowing the class action to proceed to discovery.
Key takeaways
Insight on the scope and contours of BIPA-regulated data
Zellmer, Martell, and Tibbs provide valuable insight into the scope and contours of BIPA-regulated data and, more specifically, the term “biometric identifiers” as it is used in Illinois’s biometrics statute.
The threshold issue of whether an organization’s biometrics-related activities, and the data generated therefrom, are governed by BIPA is one of the most frequently-litigated, and hardest-fought, disputes at the pleading stage of BIPA litigation. This same issue also drives many core legal compliance and risk management strategies for companies that develop, supply, or use biometrics as well.
In Zellmer, the Ninth Circuit held that both biometric identifiers and biometric information require the ability to “identify an individual” to be regulated by BIPA. More specifically, biometric identifiers “must be a feature that can identify a person.” 2024 U.S. App. LEXIS 14619, at *16. Thus, the term biometric identifier “turns on the ability to identify an individual.” Id. The Zellmer court further explained that while something can otherwise fall within BIPA’s specific list of biometric identifiers, it can nonetheless ultimately fall outside of BIPA’s ambit if it cannot identify. As an example, the court noted that scans of face geometry fall within BIPA’s list, but are not covered by BIPA if they cannot identify a person.
Taken together, Zellmer articulates a fairly bright-line rule that, where undisputed evidence establishes that personal data cannot identify individuals, that data, as a matter of law, does not constitute biometric identifiers or biometric information, and is thus not subject to BIPA regulation in the first instance.
The Martell court echoed Zellmer’s line of reasoning, explaining that in order to avoid dismissal, a plaintiff must allege that a defendant’s technology scans individuals’ face geometry, as opposed to simply scanning photos. While the former constitutes a “scan of face geometry,” the latter is only a mere “record of a photo.” As such, Martell explained, a complaint is subject to dismissal in the absence of any allegations that a defendant scanned faces in photos specifically to, for example, locate facial images and extract a numerical representation of the shape or geometry of each facial image, which is necessary to plausibly allege a scan of face geometry. More than that, the Martell court noted, a plaintiff must also sufficiently allege that the data generated from those facial scans possesses the capability to identify individuals in order to constitute BIPA-regulated biometric identifiers.
The Tibbs opinion offers further guidance on the contours of the term biometric identifiers through its comparison of the face signatures at issue in Zellmer with the security camera data at issue in Tibbs. The Tibbs court explained that unlike the scans in Zellmer—which did not reveal geometric information about faces or otherwise correspond to facial features, and thus fell outside the scope of BIPA-regulated data—the Arlo security cameras could purportedly utilize the infrared and visible light data scans it captured to identify particular individuals, which satisfied both elements, i.e., that the technology specifically performed scans of faces, and that the data generated by those scans could be used to identify individuals’ identities, needed for the data to be considered biometric identifiers under the Illinois law.
BIPA non-user compliance obligations
Another significant aspect of BIPA that remains uncertain and unsettled at this time pertains to whether BIPA’s protections extend to “non-users” of a private entity’s services or products, i.e., individuals with whom the private entity maintains no direct relationship.
The Zellmer court squarely answered this question in the affirmative, holding that the plain text of BIPA applies to everyone whose biometric identifiers or biometric information is collected or possessed by a private entity—even those individuals who lack any type of privity with the entity. The Ninth Circuit explained that explained that “even if it were ‘patently unreasonable’ to provide a cause of action to ‘total strangers to Facebook, and with whom Facebook had no relationship,’ BIPA’s plain terms do just that.” 2024 U.S. App. LEXIS 14619, at *11. As such, under Zellmer, companies are subject to compliance with BIPA even in situations where, from a practicality standpoint, it would be impossible or otherwise extremely burdensome to comply with the law, including, but not limited to, scenarios where a company maintains no direct relationship with end users of its services or products.
Zellmer’s reasoning aligns with other courts that have analyzed BIPA in the context of non-users. For example, in Wise v. Ring LLC, 2022 U.S. Dist. LEXIS 138399 (W.D. Wash. Aug. 3, 2022), the court rejected Ring’s argument that a class of bystanders with no contractual relationship to Ring were barred from maintaining a cognizable BIPA claim against it due to the lack of any relationship between the parties, reasoning that the lack of any direct relationship was irrelevant to the analysis. In so doing, the court held that because Ring maintained systems capable of identifying individuals, the company was required to comply with BIPA.
More recently, in Rivera v. Amazon Web Servs., Inc., 2023 U.S. Dist. LEXIS 129517 (W.D. Wash. July 26, 2023), a federal court found third-party vendor Amazon subject to compliance with BIPA’s Section 15(b) requirements, despite the lack of any direct interaction between Amazon and the end users of its facial biometrics software, which was deployed by Amazon’s customers, and not by Amazon itself. The Rivera court reasoned that the plaintiffs were not “total strangers” to Amazon, but instead were connected through Amazon’s customers, and thus it was “not inconceivable” that Amazon could provide notice to, and obtain consent from, end users during their use of the Amazon software.
This aspect of Zellmer is likely to have a particularly-outsized impact on biometric technology vendors that serve solely in a back-end, service provider capacity and maintain no direct relationship with end users or other data subjects. In particular, Zellmer’s holding that BIPA applies equally to users and non-users alike creates a myriad of substantial compliance complexities for vendors, especially as it relates to complying with BIPA’s informed consent regime, in the absence of any type of direct relationship or interaction. Thus, even where full compliance would be a “practical impossibility,” vendors must nonetheless satisfy all obligations set forth under Illinois’s biometrics statute.
Vendors should take note of this trend toward extending BIPA’s protections to non-users and similar classes of individuals, and strive to ensure that their compliance programs are fully aligned with BIPA in this respect to mitigate associated risks.
Challenges in procuring dismissals of BIPA class actions at the pleading stage
Lastly, Tibbs illustrates the challenges faced by defendants in procuring dismissals from BIPA class actions at the pleading stage, i.e., on a motion to dismiss, particularly in disputes implicating alleged face geometry scans.
BIPA class action suits have remained extremely difficult to defeat at the outset of litigation, a fact that is attributable to a range of factors that include the deference given to plaintiffs’ vague, oftentimes conclusory allegations when ruling on a motion to dismiss, as well as courts’ willingness to interpret BIPA’s statutory language in a manner that heavily favors plaintiffs.
More than that, defendants face an uphill battle in obtaining dismissals at the pleading stage due to the limitations placed on courts with respect that the scope of evidence that can be considered in ruling on a motion to dismiss. Specifically, courts are confined to considering only the allegations set forth in the complaint, and cannot give any consideration to the actual factual circumstances underlying the dispute, such as how a defendant’s technology, in fact, operates.
In Tibbs, the noted that although it was “entirely possible” that discovery would show, for example, that Arlo’s cameras did not collect face geometry scans (or any other form of biometric identifier or information for that matter), “the Court [found] that—drawing every reasonable inference in Plaintiffs’ favor—Plaintiffs ha[d] presented a plausible story” that they may have been subjected to face or hand geometry scans when they made deliveries to Illinois homeowners. 2024 U.S. Dist. LEXIS 113916, at *17-18 (cleaned up). In support of this conclusion, Tibbs cited a prior BIPA decision, Neals v. PAR Tech Corp., in which the court held that plaintiffs need not “substantiate” an allegation that defendants collected biometric information, but must only “present a story that holds together” to avoid dismissal at the pleading stage. 419 F. Supp. 3d 1088, 1091 (N.D. Ill. 2018).
At bottom, although it is possible to obtain the dismissal of BIPA disputes at the pleading stage—with Martell being an example—Tibbs is illustrative of the significant hurdles that companies often face in attempting to extract themselves from BIPA class disputes at the pleading stage and before proceeding into extremely costly discovery.
To address and mitigate the these and other liability risks associated with being named in a BIPA dispute asserting tenuous claims and having to proceed through costly discovery, companies of all types that use biometrics in their operations should strongly consider taking a conservative approach to compliance—one that ensures all applicable BIPA requirements are satisfied—even where it remains unclear whether BIPA applies to the organization’s biometrics-related activities in the first instance.
Specifically, companies should ensure they maintain flexible, comprehensive biometrics compliance programs, which should encompass (among other things) the following:
- a publicly-available, biometrics-specific privacy policy;
- set data retention and destruction guidelines and schedules containing a clear description of the event trigger(s) that will prompt the immediate and permanent destruction of an individual’s biometric identifiers/information;
- a mechanism for ensuring written notice is supplied to all data subjects before the collection of any biometric identifiers/information; and
- a separate mechanism for ensuring written consent is obtained for purposes of allowing any third-party vendor to collect, possess, retain, store, and disseminate biometric data before the time any such data is obtained.
Finally, vendors in particular should also ensure that all contractual agreements entered into with customers contain language regarding the use of biometric identifiers/information that properly allocates the parties’ responsibilities under BIPA (and similar biometrics laws), and which otherwise mitigates applicable legal risks and liability exposure to the greatest extent possible.
About the author
David J. Oberly is Of Counsel in the Washington, D.C. office of Baker Donelson, and leads the firm’s dedicated Biometrics practice. Recognized as “one of the nation’s foremost thought leaders in the biometric privacy space” by LexisNexis, David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. In addition, David has deep experience in litigating bet-the-company BIPA class action disputes. He is also the author of Biometric Data Privacy Compliance & Best Practices—the first and only full-length treatise of its kind to provide a comprehensive compendium of biometric privacy law. He can be reached at [email protected]. You can also follow David on X at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | data protection | David Oberly | lawsuits
link