Shutterfly Can’t Escape Illinois Biometric Privacy Class Action

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

Online photo company Shutterfly Inc. faces consumer Illinois biometric privacy law class claims that it allegedly extracted and stored non-user facial images without written consent, a federal court ruled Sept. 15 ( Monroy v. Shutterfly, Inc. , N.D. Ill., 16-10984, motion to dismiss denied 9/15/17 ).

The case is being closely watched by the technology sector as more companies employ facial recognition technology and capture more consumer biometric data. Apple Inc., for example, recently unveiled its iPhone X model, which includes user facial recognition to unlock the smartphone.

Under the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. § 14/15, no private entity may obtain or otherwise collect a person’s “biometric identifier or biometric information” unless it informs the subject in writing that the information is being stored; informs the subject about “the specific purpose and length of term” of use; and receives express written authorization to use that information.

Shutterfly employs facial recognition technology to identify consumers who appear in the photos they download and store on the site. It does so by scanning images to create “a highly detailed ‘map’ or ‘template’ for each face based on its unique points and contours,” the court wrote.

Shutterfly, which made $1.1 billion in fiscal year 2016 revenue, according to Bloomberg data, settled a March 2016 BIPA class action for an undisclosed amount. Facebook Inc. and Alphabet Inc.'s Google also face BIPA putative class actions in federal court. Illinois was the first state to enact a biometric privacy law, followed by Texas and Washington.

Judge Joan B. Gottschall of the U.S. District Court for the Northern District of Illinois denied Shutterfly’s motion to dismiss because BIPA doesn’t expressly exclude the data extracted from a “scan of face geometry” from its definition of “biometric identifier.” The Illinois legislature could have narrowly specified what a scan of face geometry was if it didn’t want the law to be able to adapt to technological advances, Gottschall wrote.

Gottschall also kicked out Shutterfly’s claim that BIPA requires a showing of actual damages to recover under the statute. Under the law, plaintiffs may recover statutory damages of $5,000 per willful violation and $1,000 for each negligent violation. Even if actual damages were needed under the statute, the plaintiff specifically raised actual damages in his complaint, Gottschall wrote.

Redwood City, Calif.-based Shutterfly’s assertion that the class claims were an unconstitutional reach of BIPA also were dismissed.

Representatives for Shutterfly didn’t immediately respond to Bloomberg BNA’s email request for comment.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the order is available at http://src.bna.com/sAI.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security