Apple Biometric Privacy Disclosures Not Good Enough, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

Apple has failed to sufficiently disclose to Illinois residents that the facial and fingerprint recognition features of its iPhones, iPads and MacBooks—Face ID and Touch ID— extract their sensitive biometric information, a proposed class action alleges.

The 34-page complaint contends that Apple has never adequately informed Illinois residents of its biometric information collection practices, namely the specific purpose and length of time for which the data will be collected and stored, nor obtained the requisite written consent to capture, collect, store and otherwise use consumers’ facial and fingerprint scans. Moreover, the suit claims Apple has failed to develop a written policy establishing a retention schedule or guidelines for the permanent destruction of the biometric data it collects.

Overall, Apple, whose biometric data collection practices are alleged to be “inextricably intertwined” with the company’s other services, has fallen short of the requirements of the Illinois Biometric Information Privacy Act (BIPA), a state law enacted as a means to protect residents’ unique, unchangeable biometric identifiers and govern their use by private entities, the case says. 

Apple’s Touch ID and Face ID are used to access traditional passwords on users’ devices and can be used as direct log-in methods for the devices and other applications, the suit states. Through Touch ID and Face ID, Apple also collects certain user diagnostic data, including how many times the features are used to unlock a device, per the case.

As far as the BIPA is concerned, Apple’s disclosures regarding the collection of users’ facial scans and fingerprints through Face ID and Touch ID, respectively, fall well short of the law’s requirements, the lawsuit contends. The suit relays that from the moment users enroll in either feature, Apple provides no details concerning the capture, storage and use of fingerprint and facial data; the length of time and purpose for collecting the information; or a timeline for how long the information will be kept by the company and when it will be permanently destroyed. From the complaint: 

“Altogether, Apple’s Touch ID and Face ID brings together into one body or place— and thus captures and collects—a user’s biometrics. Apple also controls—and thus possesses—a user’s biometrics. Defendant’s contractual relationship with users is direct, ongoing, and intertwined with other services Apple provides. Defendant wholly owns and exclusively controls the software used to capture, collect, and possess a user’s biometrics. Defendant’s enrollment process fails to inform users of the specific purpose and length of time a user’s biometric identifier or information is being collected or stored. Defendant also fails to receive a written release from users. And Defendant fails to make publicly available a written retention schedule for destroying a user’s biometrics. Accordingly, Defendant’s Face ID and Touch ID Products violate … [the BIPA].” 

The case looks to represent consumers in Illinois who had their fingerprints and facial geometries possessed, captured, collected, stored or otherwise obtained by Apple’s Touch ID and Face ID in the state. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.