Class Action Claims Biometric Identification Vendor ID.me’s Data Policy Violates Illinois Law [UPDATE]
by Erin Shaak
Skinner v. ID.me, Inc.
Filed: August 8, 2022 ◆§ 2022CH07688
A lawsuit alleges identity verification vendor ID.me violated an Illinois privacy law by failing to maintain a legally compliant biometric data retention policy.
Case Update
August 11, 2022 – ID.me Responds to Lawsuit
In an email to ClassAction.org, an ID.me spokesperson provided the following statement in response to the lawsuit detailed on this page:
“We believe the assertions made in the Skinner lawsuit are without merit, and ID.me intends to vigorously defend against them. ID.me takes very seriously the rights of users to control their personal data and has made privacy and security for users a top priority.”
A proposed class action lawsuit alleges identity verification vendor ID.me, Inc. violated an Illinois privacy law by failing to maintain a legally compliant biometric data retention policy, which allowed it to store collected information for years on end despite state requirements.
The 12-page lawsuit more specifically claims that ID.me, who provides biometric scanning services to various businesses for identity verification purposes, maintained until March 24, 2021 a data retention policy that allowed the company to store individuals’ biometric information for up to seven and a half years after they closed their account.
Per the case, the Illinois Biometric Information Privacy Act (BIPA) requires a company to maintain a policy that mandates that an individual’s biometric identifiers and information be permanently destroyed when the initial purpose for collecting and storing the data has been satisfied or within three years of their last interaction with the company, whichever occurs first.
According to the case, ID.me implied that its data retention policy was out of compliance with the BIPA when the company added Illinois-specific language on March 24, 2021. Although the updated policy still allows ID.me to retain consumers’ biometric data for up to seven and a half years, an exception has made for Illinois residents, for whom the company has said it will destroy their biometric data “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with ID.me, whichever occurs first,” the lawsuit relays.
“All subsequent versions of Defendant’s biometric policy have included this Illinois-specific language,” the complaint alleges. “Thus, not only does Defendant admit that it must comply with BIPA, it likewise implicitly admits that its pre-March 24, 2021 biometric policy was not in compliance with [the BIPA].”
The plaintiff is an Illinois resident who says she was required to register for an ID.me account when she began working at the Ann & Robert H. Lurie Children’s Hospital in Chicago in January 2020. Per the case, the woman uploaded a photo of her face to the ID.me platform, and the company’s technology used the image to generate a facial template for the plaintiff to be used for identity verification purposes.
The suit says that at the time the plaintiff provided her biometric information to ID.me, the company had in place a data retention policy that stated it was allowed to store her data for up to seven and a half years after she closed her account, which the lawsuit argues is a direct violation of the BIPA’s data retention policy requirement.
The lawsuit looks to represent all Illinois residents who, prior to March 24, 2021, used ID.me to scan their face in Illinois.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Camp Lejeune
Camp Lejeune residents now have the opportunity to claim compensation for harm suffered from contaminated water.
Read more here: Camp Lejeune Lawsuit Claims
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.