The Apple Photos app’s automatic collection of facial data from device users’ photographs without informed written consent amounts to a violation of Illinois’ Biometric Information Privacy Act (BIPA), a proposed class action claims.
The suit alleges Apple Photos collects facial scans without the knowledge or informed written consent of both Apple device users and non-Apple device users, including minors, who appear in photos stored on an iPhone, iPad or other Apple product. According to the case, Apple’s conduct poses a serious threat to Illinois residents in that the exposure or compromise of biometric identifiers can leave victims with no means of preventing identity theft, fraud or unauthorized tracking.
Enacted in 2008, the Illinois BIPA aims to safeguard the unique biometric data—facial geometries, fingerprints, voiceprints, retinal scans, palm prints—of the state’s residents. The law imposes stringent requirements on private entities that collect or possess citizens’ biometric information given the data cannot be changed like a password should it be compromised or stolen. In order to lawfully collect an Illinois resident’s private data, a company must first:
Inform the individual in writing that their biometric information is being collected or stored;
Inform the individual in writing of the purpose and length of time for which their biometric data is being collected, stored and used; and
Receive a written release from the individual whose biometric data is being collected, stored and used.
Moreover, private entities must develop and make public a written retention schedule and guidelines for the permanent destruction of any collected biometric data, the case continues.
Despite the plain language of the statute, Apple has taken control over Illinois citizens’ facial geometries, according to the suit. The company’s facial recognition technology is offered as a “feature” of its Photos app, which is pre-installed on and not removable from Apple devices, and serves to identify individuals who appear in a user’s photos, the case states. Biometric data taken from Apple Photos images is then stored by the company in what it calls a facial recognition database in the solid state memory on a user’s device, the suit says.
Once an individual’s biometric data is collected by Apple, it’s used to create a template that’s run against facial recognition algorithms to analyze photos stored on a device, the case says. The algorithm then automatically groups pictures, including those featuring children and minors, into albums based on whether the person’s face appears in a photo, the case goes on.
“Defendant collects this face Biometric Data without obtaining consent, let alone the ‘informed written consent’ required by [the] BIPA,” the lawsuit claims, noting that Apple users cannot disable the facial recognition technology on their devices nor prevent the company from collecting facial geometries.
Initially filed on March 12 in St. Clair County Circuit Court in Illinois, the case has since been removed to the state’s Southern District.