An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).

BIPA prohibits private entities from collecting or capturing “a person’s or a customer’s biometric identifier or biometric information” without first obtaining the subject’s informed consent, among other requirements. 740 ILCS 14/15(b). BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and defines “biometric information” as any information “based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10.

In dismissing the complaint, the court agreed with X’s arguments that Plaintiff failed to plausibly allege (1) that the PhotoDNA software collects scans of facial geometry and (2) that the hashes identified photo subjects. First, the court rejected Plaintiff’s “conclusory” assertion that the creation of a hash from a photo that includes a person’s face “necessitates” creating a scan of facial geometry, saying, “The fact that PhotoDNA creates a unique hash for each photo does not necessarily imply that it is scanning for an individual’s facial geometry when creating the hash.” Id. at *2. The court distinguished Plaintiff’s allegation from those that withstood dismissal in a different case in which the plaintiff alleged that scans of photos “located her face and zeroed in on its unique contours to create a ‘template’ that maps and records her distinct facial measurements.” Id. at 3 (quoting Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1091 (N.D. Ill. 2017)).

Second, and importantly, the court agreed with X that the complaint did not allege that the hashes could be used to identify individuals in photos and therefore were not biometric identifiers. It rejected Plaintiff’s argument that “BIPA does not require that biometric identifiers be used to identify an individual because, unlike the definition for biometric information, the definition for biometric identifier does not include the ‘used to identify an individual’ language.’” Id. at *3.

Considering the plain language of the term “biometric identifier,” dictionary definitions of “identifier,” and case law, the court held that in order to qualify as a biometric identifier, a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry must identify an individual. The court reasoned that otherwise, “it would contravene the very purpose of BIPA,” asking, “If a face geometry scan could not identify an individual, how could a business provide the individual with notice and obtain their consent?” Id. This decision may guide other courts to narrowly construe the term “biometric identifier” and highlights the importance of future BIPA defendants considering arguments that particular scans or data may not qualify as biometric identifiers if they do not identify specific individuals.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.

Photo of Thea McCullough Thea McCullough

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to…

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to regulatory inquiries, and compliance obligations under federal and state privacy regulations, including biometric privacy laws. She also represents clients before the Federal Trade Commission in privacy enforcement actions and in consumer protection litigation.

Thea draws on her past experience across all branches of government to inform her practice and to advise clients on public policy matters. Most recently, Thea served as a clerk for the U.S. District Court for the Eastern District of Texas. Prior to beginning her legal career, Thea served as the communications director for the White House National Space Council, where she spearheaded messaging campaigns for Presidential Space Policy Directives and the administration’s civil, commercial, and defense space policy initiatives, and previously as the communications director for the U.S. House Committee on Science, Space, and Technology, where she managed the communications team and developed messaging strategies for policy and legislation covering several issue areas, including cybersecurity, advanced technologies, space, energy, environment, and oversight. She also served as a national spokesperson for President Trump’s 2020 campaign.

Thea is admitted to the DC Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.