A proposed class action claims EcoATM, LLC has failed to comply with an Illinois privacy law before collecting customers’ facial scans at its in-store smart device recycling kiosks.
The lawsuit claims customers who use EcoATM’s self-serve kiosks, which can be found in stores such as Walmart and Kroger, are required to provide scans of their facial geometry without first receiving certain disclosures as to how their biometric information will be used or consenting to the practice.
More specifically, the case alleges EcoATM has overstepped the Illinois Biometric Information Privacy Act by failing to:
Properly inform customers in writing of the purpose and length of time for which their facial geometry would be collected, stored and used;
Provide a publicly available retention schedule and guidelines for permanently destroying customers’ facial geometry data;
Receive a written release from customers to collect, store, disseminate or otherwise use their facial geometry scans; and
Obtain consent from customers to disclose, redisclose or otherwise disseminate their facial geometry to a third party.
According to the case, customers who intend to use EcoATM’s kiosks to recycle a smart device must submit to two facial geometry scans. First, a camera located at the kiosk captures a scan of the customer’s facial geometry using biometric software before the user is then required to insert a government-issued identification card to also be scanned, the suit explains. EcoATM’s kiosks then analyze the facial geometry data captured from the ID card and compare it to the scan of the user’s face to determine whether they are sufficiently similar, the case says. Thereafter, the user is permitted to continue the process of recycling their device, according to the complaint.
Per the lawsuit, EcoATM stores the facial geometry scans of both the customer and their ID card in its database without informing them of the purpose of such or for how long the data will be kept and whether it will be disclosed to a third party.
Moreover, EcoATM profits from customers’ biometric data by marketing its biometric verification features as superior to other methods of identity verification and theft prevention, the case alleges. In this way, the defendant maintains a competitive advantage in the market for secondary device sales and secures profits from such, “all while failing to comply with the minimum requirements for handling users’ biometric data established by BIPA,” the lawsuit says.
According to the suit, EcoATM’s apparent BIPA violations have increased the risk that customers’ biometric data will be accessed by unauthorized third parties, which the case describes as an “irreversible privacy risk” given biometric information cannot be changed or replaced if compromised.
The lawsuit looks to cover anyone in Illinois who had their biometric identifiers and information collected, captured, received, obtained, maintained, stored or disclosed by EcoATM during the applicable statutory period.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.