News 02.24.22

Technology & Cyber Risk Client Alert: Evolution of BIPA Voiceprint Claims in Illinois Persists

What if your favorite fast food chain knew your order better than, or perhaps before you did? The Northern District of Illinois recently addressed this issue in yet another lawsuit brought under Illinois’ Biometric Information Privacy Act (“BIPA”). In Carpenter v. McDonalds[1], plaintiff alleges that voiceprint data collected through McDonalds’ automated drive-through windows constitutes biometric information that is subject to the protection of BIPA. While many recent BIPA cases involve the collection of fingerprints, the Carpenter case serves as a reminder that scope of the statute is, indeed, broad in its protection of biometric identifiers.

In Carpenter, plaintiff alleges that McDonalds uses technology that converts a customer’s speech into an “audio waveform.” According to the allegations, McDonalds is able to extract the duration and pitch of a customer’s speech, and that his information can be used to identify a person’s national origin, gender, accent and age. Plaintiff alleges that these biometric identifiers are subject to the same legal protection as fingerprints, and that McDonalds has run afoul of the Illinois statute by failing to ask for customers’ consent prior to obtaining this data. McDonalds argues that the technology is designed to reflect a customer’s intent, and that its purpose is to allow the company to efficiently capture a customer’s order at any location. The issue before the court is whether plaintiff's complaint sufficiently alleges facts contending that McDonalds’ collects its customers' voiceprints data. On January 13, 2022, the court concluded that plaintiff sufficiently pleaded facts putting defendant on notice of the Section 15(b) claims against it, and as a result, this claim would proceed to discovery. The court also found that plaintiff did not sufficiently plead its Section 15 (d) claim therefore, this claim was dismissed without prejudice.

Similarly, in Wilcosky v. Amazon, Inc.,[2] plaintiffs filed a class action lawsuit alleging that Alexa, which is described as a “voice based virtual assistant”, improperly collected biometric identifiers. The District Court specifically noted that a voiceprint is a biometric identifier because it can, in fact, be used to identify an individual. The court further noted that the Illinois statute provides “robust protection” for biometric identifiers that cannot be changed. The unique stature of voiceprints and their implied protection under BIPA are further emphasized in Zaluda vs. Apple Inc.[3], in which plaintiff alleged that voice data unknowingly collected via Siri captured physical information that, unlike passwords or social security numbers, cannot be separated from the speaker nor changed if compromised by an unauthorized third party.

The majority of BIPA lawsuits appear to involve the alleged unlawful collection of fingerprints. For example, in Cothron v. White Castle Sys.,[4] plaintiff filed suit against her employer, alleging that White Castle unlawfully scanned her fingerprint without her consent. The plaintiff, who worked as a manager, contends that she grew alarmingly concerned when required to scan her fingerprints to access her pay stubs and computer system. Plaintiff further alleges that her employer never provided a written release before collecting this data. Notably, the Seventh Circuit in Cothron recently issued, to the Illinois Supreme Court, a certified question concerning claim accrual, the results of which will be closely watched by practitioners in this area.

 Cothron is similar to numerous other BIPA cases brought by employees in the state of Illinois. Recent cases include Robertson vs. Hostmark Hospitality Group[5] (holding that plaintiff’s BIPA fingerprint claim survived applicable privacy, penal, and “catch all” statute of limitations parameters); ACLU v. Clearview A.I.[6] (holding that plaintiffs’ facial recognition via online photograph searches constitutes faceprint data under BIPA surviving Illinois’ extraterritoriality doctrine, dormant commerce clause, the first amendment defenses), and Webster v. Triad Senior Living[7] (holding that plaintiff may seek liquidated damages under BIPA whether or not actual damages, beyond violation of the law's provisions, can be shown).

While Cothron serves as yet another reminder that companies must avoid the unlawful collection of fingerprints, Carpenter and Wilcosky emphasize that BIPA’s protection is not limited to just fingerprints. The statute explains that biometric identifiers include,

[A] retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.

740 ILCS 14/10 (emphasis added).

Face geometry is another biometric identifier afforded protection under BIPA. For example, in Monroy v. Shutterfly, Inc., an undisclosed user uploaded a picture of plaintiff on Shutterfly's website.[8] When a photograph was uploaded in Shutterfly’s website, it automatically suggested tagging the photograph with plaintiff’s name, “Alex Monroy.” Plaintiff argues that he never consented to Shutterfly’s “extraction and storage of data representing his face geometry.” The Monroy court found that plaintiff sufficiently pleaded damages resulting from Shutterfly’s alleged BIPA violations, and so Shutterfly’s motion to dismiss was denied.

Recently, plaintiff Kristen Deyerler[9] filed suit in Illinois state court against Hirevue Inc., a hiring service company that relies on artificial intelligence facial recognition software to assess a candidate’s video interview. Plaintiff argues that defendant collected her biometric information – without her permission – by capturing plaintiff’s face on video during a job interview. While Deyerler is in the early stages of litigation, it serves as yet another reminder of the broad protections of the BIPA statute. Indeed, as companies and employers engage the public and their employees, it is critical to remember that BIPA lawsuits can lead to substantial damages for failing to adhere to its strict statutory requirements.  

[1] Case No. 1:21-cv-02906 (N.D. Ill. 2021).

[2] 517 F.Supp.3d 751 (N.D. Ill. 2021).

[3] Case No. 2019 CH 11771 (Cir. Ill. 2020).

[4] 2021 U.S. App. LEXIS 37593 (7th Cir. 2021).

[5] Robertson v. Hostmark Hospitality Group, 2019 Ill. Cir. LEXIS 119.

[6] ACLU v. Clearview Ai, 2021 Ill. Cir. LEXIS 292.

[7] Webster v. Triad Senior Living, 2020 Ill. Cir. LEXIS 1449.

[8] Monroy v. Shutterfly, Inc., 2017 U.S. Dist. LEXIS 149604 (7th Cir. 2017).

[9] Deyerler v. HireVue Inc.., 2022 Ch 00719