Class Action Claims Biometric Identification Vendor ID.me’s Data Policy Violates Illinois Law [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit alleges identity verification vendor ID.me, Inc. violated an Illinois privacy law by failing to maintain a legally compliant biometric data retention policy, which allowed it to store collected information for years on end despite state requirements.

The 12-page lawsuit more specifically claims that ID.me, who provides biometric scanning services to various businesses for identity verification purposes, maintained until March 24, 2021 a data retention policy that allowed the company to store individuals’ biometric information for up to seven and a half years after they closed their account.

Per the case, the Illinois Biometric Information Privacy Act (BIPA) requires a company to maintain a policy that mandates that an individual’s biometric identifiers and information be permanently destroyed when the initial purpose for collecting and storing the data has been satisfied or within three years of their last interaction with the company, whichever occurs first.

According to the case, ID.me implied that its data retention policy was out of compliance with the BIPA when the company added Illinois-specific language on March 24, 2021. Although the updated policy still allows ID.me to retain consumers’ biometric data for up to seven and a half years, an exception has made for Illinois residents, for whom the company has said it will destroy their biometric data “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with ID.me, whichever occurs first,” the lawsuit relays.

“All subsequent versions of Defendant’s biometric policy have included this Illinois-specific language,” the complaint alleges. “Thus, not only does Defendant admit that it must comply with BIPA, it likewise implicitly admits that its pre-March 24, 2021 biometric policy was not in compliance with [the BIPA].”

The plaintiff is an Illinois resident who says she was required to register for an ID.me account when she began working at the Ann & Robert H. Lurie Children’s Hospital in Chicago in January 2020. Per the case, the woman uploaded a photo of her face to the ID.me platform, and the company’s technology used the image to generate a facial template for the plaintiff to be used for identity verification purposes.

The suit says that at the time the plaintiff provided her biometric information to ID.me, the company had in place a data retention policy that stated it was allowed to store her data for up to seven and a half years after she closed her account, which the lawsuit argues is a direct violation of the BIPA’s data retention policy requirement.

The lawsuit looks to represent all Illinois residents who, prior to March 24, 2021, used ID.me to scan their face in Illinois.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.