Biometric Privacy Suit Against Shutterfly Proceeds

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael J. Bologna

Jan. 7 — In the first ruling in the nation to interpret a state biometric privacy statute, a federal judge in Chicago handed a victory to a putative class that alleged the photo-sharing and storage company Shutterfly Inc. abused consumers' privacy in violation of the Illinois Biometric Information Privacy Act (BIPA), the plaintiffs' counsel in the matter said Jan. 7

U.S. District Court Judge Charles R. Norgle of the U.S. District Court for the Northern District of Illinois Dec. 29 denied a motion to dismiss a BIPA action brought against Shutterfly and its subsidiary ThisLife Inc. (Norberg v. Shutterfly Inc., N.D. Ill., 15-cv-5351, 12/29/15).

Norgle said that the court had personal jurisdiction in the first-of-its-kind action and that the plaintiff, Brian Norberg, had met the minimum threshold for stating a claim for which relief may be granted.

Norgle said that the court was unaware of any previous judicial interpretation of the 2008 statute. Only Illinois and Texas have enacted statutes addressing biometric data. Illinois' law is unique because it authorizes a private right of action and statutory damages. Enforcement actions under the Texas biometric data law are reserved for the attorney general.

David P. Milian, lead counsel for the plaintiffs, said the ruling is a milestone for consumers seeking to preserve their digital privacy rights.

“There are serious privacy concerns related to the unauthorized capture and storage of biometric data by these companies and currently Illinois is the only state to allow private citizens to sue,” said Milian, a partner with the law firm Carey Rodriguez Milian Gonya LLP, said in a statement. “The data privacy concerns are enormous. You can always change your password or get a new credit card or social security number if these websites are hacked, but you can't change your facial geometry.”

Allegations Against Shutterfly

Norberg's original action, filed June 2015, alleged photograph storing site Shutterfly consistently violated the BIPA by collecting and scanning face geometry in photos uploaded to its various websites without gaining the consent of individuals featured in the images. The court ruled Norberg had made adequate allegations to survive a motion to dismiss.

“Here, plaintiff alleges that defendants are using his personal face pattern to recognize and identify plaintiff in photographs posted to websites. Plaintiff avers that he is not now nor has he ever been a user of websites, and that he was not presented with a written biometrics policy nor has he consented to have his biometric identifiers used by defendants,” the court said. “As a result, the court finds that plaintiff has plausibly stated a claim for relief under the BIPA.”

Norgle offered no specific views on Shutterfly's argument that its websites are beyond the scope of the BIPA. Shutterfly has asserted that the BIPA specifically excludes biometric identifiers derived from photographs. The statute defines biometric identifiers as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The statute excludes writing samples, signatures, photographs, biological samples, demographic data, tattoos, or physical descriptions.

The ruling raises questions about Facebook Inc.'s ability to prevail in a similar putative class action in federal court in Chicago alleging that the social media giant's use of biometric identification technology violates BIPA. Facebook articulated a similar defence in a motion dismiss filed with the court in November, asserting the BIPA excludes biometric identifiers derived from photographs (14 PVLR 2199, 12/7/15).

Counsel for Shutterfly couldn't be immediately reached for comment. The company is represented by Marc J. Zwillinger and Robert Huff of ZwillGen PLLC.

To contact the reporter on this story: Michael J. Bologna in Chicago at

To contact the editor responsible for this story: Donald G. Aplin at

For More Information



Request Bloomberg Law Privacy and Data Security