Google has been hit with a proposed class action filed by an Illinois father who alleges the tech goliath has illegally collected, stored and used the personally identifiable biometric information of children under 13 years old who use the “G Suite for Education” platform on ChromeBook laptops issued to certain schools nationwide.
Alleging violations of Illinois’ Biometric information Privacy Act (BIPA) and the federal Children’s Online Privacy Protection Act (COPPA), the 32-page lawsuit out of California claims Google has collected voiceprints, facial templates and a number of other “highly sensitive and immutable biometric data” from “over half of the nation’s school children” without parental or guardian consent.
According to the lawsuit, Google has collected student G Suite users’ physical locations, websites they visit, videos they watch on YouTube, voice recordings and “other behavioral information” unique to each child in clear violation of both laws and without making any “reasonable effort” to obtain permission before doing so.
Two laws, one goal
At the heart of the suit are alleged violations of laws implemented at the state and federal level to address ever-persistent concerns with online privacy. Both the COPPA and the Illinois BIPA aim to protect consumers’ “biometrics,” unique and identifiable physical characteristics such as facial or fingerprint scans that are unlike passwords in that once compromised they cannot be changed.
In 1999, the suit explains, Congress passed the COPPA with the express goal of protecting children’s privacy. Per the suit, the law prohibits companies from lawfully obtaining the personally identifiable information of a child younger than 13 without parental or guardian consent. Under the COPPA, the operator of a commercial website or online service, including apps, who collects, uses, and/or discloses personally identifiable information from children may not do so without:
Information considered “personally identifiable” under COPPA includes names, email addresses, phone numbers, screen names or user names, media files containing a child’s image and/or voice, geolocation details and Social Security numbers, the case adds. Under Federal Trade Commission guidelines, “verifiable parental consent” can be obtained through signed consent forms, use of a credit card payment in exchange for services, and asking “knowledge-based questions,” according to the case.
In the spirit of COPPA, the Illinois BIPA also lays out stringent guidelines governing the collection, storage, use and disclosure of consumers’ biometric identifiers. Passed by the Illinois legislature in 2008, the Illinois BIPA makes it unlawful for a company to “collect, capture, purchase, receive through trade, or otherwise obtain a person or a customer’s biometric identifiers” without first:
- Informing the subject in writing that a biometric identifier or biometric information is being collected or stored;
- Informing the subject in writing of “the specific purpose and length of term” for which their biometric identifier will be collected, stored and used;
- Receiving a written release from the owner of a biometric identifier or the individual’s legally authorized guardian allowing for the collection, storage and use of their biometric data; and
- Making publicly available a written policy establishing a retention schedule and guidelines for the permanent destruction of biometric identifiers “when the initial purpose for collecting or obtaining such” has been satisfied or within three years of an individual’s last interaction with a private company.
After a brief synopsis of Google’s switch from a company at least cognizant of the dangers of facial recognition technology to one that’s gone all in on collecting users’ biometric data for profit, the lawsuit charges that Google’s heel-turn in the biometric data arena is now trickling down to many of the nation’s classrooms. According to the case, biometric data collection practices that started with Google Photos’ facial recognition capabilities has “in less than four years” come to affect student ChromeBook users.
“Infiltration” of the country’s school system
The lawsuit says that Google, in an attempt to both drive the adoption of its ChromeBook laptops in schools nationwide and assuage parents’ and educators’ concerns over its “history of privacy abuses,” publicly assured that it took student privacy seriously. In particular, according to the case, Google promised to “never mine student data” through the G Suite for Education platform for its own commercial purposes.
To seemingly “reaffirm” its commitment to student privacy, Google, in or around 2015, reluctantly signed the K-12 School Service Provider Pledge to Safeguard Student Privacy, a set of principles to which the lawsuit says the company was initially “hesitant to sign” before acquiescing after drawing some public ire.
The lawsuit says that in signing the Student Privacy Pledge, Google “affirmatively and expressly” committed to not collect, maintain, use, share, or disclose student information collected through an educational service for targeted behavioral advertising, nor build personal student profiles for non-educational purposes unless authorized by a parent or guardian. Moreover, in signing the pledge, Google agreed to clearly disclose in an easily understandable manner the types of personal student information that would be collected and the purpose behind using or sharing such information with third parties, the case says.
Despite its public privacy protection pledge, Google has illegally extracted, collected, stored and catalogued student G Suite for Education users’ voiceprints and facial geometries in a “vast database of personally identifying biometric data,” the lawsuit alleges. According to the complaint, Google collects and maintains student users’ voiceprints and face templates as a means to “identify and track” children who use its ChromeBook laptops and G Suite for Education platform.
More specifically, when Google scans a child’s voiceprint or facial template, the information is compared with voiceprints and facial templates that are already stored in the company’s biometric database, the suit claims. If there is a match, the case continues, Google is able to confirm the identity of the child using G Suite for Education and is thereby able to “enhance[e] the functionality of the various features available on the platform,” as well as “further improve the quality of the child’s voiceprint or face template stored” in Google’s database.
Beyond being able to identify a student by name, the information collected by Google can be used to recognize gender, age and location, the lawsuit alleges.
The plaintiff argues in no uncertain terms that both COPPA and the Illinois BIPA clearly prohibit Google’s “secret and unlawful” student data collection. Further still, Google, according to the suit, “has made no effort to come into compliance” with either law at any point since 2015 and has engaged in exploitative biometric data collection and storage practices to the detriment of millions of students under 13 years old without parental or guardian consent.
Who does this lawsuit look to represent?
The case proposes to cover two groups of people, broken out by alleged violations of either state or federal law:
All persons who, while using the ‘G Suite for Education’ platform at a primary or secondary school in Illinois, had their voiceprint or face template collected by Google after March 26, 2015.”
All persons under the age of 13 who, while using the ‘G Suite for Education’ platform at a primary or secondary school in the United States had their voiceprint, face template, or other personally identifiable information collected by Google after March 26, 2016.”
The case can be found below.
Want class action lawsuit news sent to your inbox? Sign up for ClassAction.org’s newsletter here.