The Intersection of Biometric Technology, Privacy Laws and Class Action Litigation
In a class action suit brought on March 16, 2023, a visitor to an Amazon Go convenience store in New York City alleged that the company violated the New York City biometric posting statute. That ordinance, enacted in 2021, requires businesses to post clearly visible signage to alert customers that it is tracking biometric information.
Biometric scanning typically involves the use of facial recognition software or fingerprints to identify consumers or employees. It has become increasingly popular in the workplace as a means of tracking time; think of it as the 21st-century answer to timecards.
The first biometric information privacy act in the country, in Illinois, the “BIPA”, initially enacted nearly 15 years ago in 2008, has been upheld and resulted in the proliferation of class action lawsuits in that jurisdiction. The argument made in those suits is that, unlike identity theft involving credit cards or social security numbers, a person cannot obtain a new fingerprint, retinal, voice or face scan. Since 2018, over 2000 lawsuits have been filed under the Illinois statute, resulting in a historic monetary settlement of $650 million in Patel v. Facebook, (3:15-cv-3747). Had that matter gone to verdict, it could have exposed Facebook to billions of dollars in damages.
In a more recent suit, the defendant claimed that such exposure would bankrupt entire industries. However, in its decision only weeks ago in Cothron V. White Castle Systems, Inc. (2023 IL 128004), the Illinois Supreme Court, in response to a certified question from the Seventh Circuit Court of Appeals, held that each instance of collection of biometric data constitutes a separate violation of the BIPA, rejecting defendant’s theory that claims be limited to the first instance that an entity scans or transmits biometric information.
In the newly filed litigation, Perez et al v Amazon.com, Inc. commenced in the Federal Court for the Southern District of New York (1:23-cv-2251. The plaintiff claims that the Amazon cashier-less stores monitor consumers but did not post the requisite signage until recently. Amazon has opened 10 Go stores in New York City since 2019 which monitor visitors and charges their credit cards automatically as they leave. The suit alleges that Amazon tracks its customers and uses “computer vision, deep learning algorithms, and sensor fusion…[to] measure the shape and size of each customer’s body”.
Notably, the case is co-counseled by STOP, the Surveillance Technology Oversight Project, a legal advocacy group concerned with individuals’ privacy rights. The suit was filed only five weeks after a demand that Amazon provide a written statement that any violations of the biometric posting statute had and would continue to be cured. The plaintiff seeks a minimum of $500 in damages per class member plus injunctive relief. Ascertainability, a required element for class membership, is questionable with respect to those who did not scan their palms to actually complete purchases.
In the Second Circuit, alleged injuries must be financial or otherwise tangible under the civil rights laws. However, that standard does not necessarily apply to the New York City ordinance over which the Court has supplemental jurisdiction. The Ninth Circuit ruling in Patel stands for the proposition that an intangible injury may be sufficient to establish standing and that a statutory violation alone is sufficient if the operative statute is meant to protect a plaintiff’s interest and the violation presents a material risk of harm. Such an analysis resounds in the same legal theory as cases brought pursuant to the Americans with Disabilities Act.
Such an interpretation, if adopted in Perez, would open the floodgates to class action litigation in the absence of demonstrable, tangible injury. Moreover, with the adoption of California’s Consumer Privacy Act (“CCPA”) in 2021, which treats biometric information the same as all other personal information.
In the past few years, this genre of class action privacy litigation has exploded as technology has advanced and more individuals are likely to be subjected to collection of their biometric data. Moving forward, it is apparent that the potential for enormous monetary damages will result in an onslaught of even more suits as localities and states enact comparable legislation.
The Firm will continue to monitor and report developments both in biometric privacy legislation and litigation to assist its clients in developing proactive assessments and strategies.
DISCLAIMER: This summary is not legal advice and does not create any attorney-client relationship. This summary does not provide a definitive legal opinion for any factual situation. Before the firm can provide legal advice or opinion to any person or entity, the specific facts at issue must be reviewed by the firm. Before an attorney-client relationship is formed, the firm must have a signed engagement letter with a client setting forth the Firm’s scope and terms of representation. The information contained herein is based upon the law at the time of publication.