It appears Snap has become the most recent company to pay a settlement for alleged violations of Illinois Biometric Information Privacy Act (“BIPA”).  The law, which gives consumers a private right of action, has become a popular class action and source of significant penalties.  Indeed, Snap joins a string of other companies that have already settled for eye popping amounts (Google for $100 million, Facebook for $650 million and TikTok for $92 million).  But here, the crux of the allegations also involve notice and retention, rather than obtaining the end-user’s consent.

BIPA has a host of requirements, but at the core of the most of the recent suit is an allegation that an entity collected a consumer’s biometric data without proper notice or obtaining the consumer’s informed written consent.  Here, the complaint against Snap alleges that the uses of lenses and filters creates a map of the user’s face without properly disclosing that the lenses and filters capture biometric details or disclosing how those identifiers are used or retained.

While both Snap and the Plaintiffs seem to agree that Snap does not use facial recognition technology, this point is irrelevant, because lenses are a “scan of hand or facial geometry,” which is covered by BIPA. (See 740 I.L.C. 14/10).   And, here is where this complaint alleges one of Snap’s violation of BIPA – Snap collected these biometric identifiers without a “a publicly available retention schedule or guidelines for permanently destroying users’ biometric identifiers nor the initial purpose for collecting such identifiers.” It’s on this point that Snap stands out from other suits, which have focused predominantly on the lack of consent.  In this case, plaintiffs sought redress for a lack of disclosure around how data was used, disclosed and retained.

Snap did address this point, saying it only retained the facial mapping information when a user had the application open on their phone and Snap deleted the information after the user closed the app. This may beg the question whether this is actually a violation at all (although an easy work-around might be to explain this point in its Terms & Conditions), and could be why the settlement amount was lower than other BIPA settlements. Alternatively, the settlement amount could suggest courts apply greater scrutiny to consent violations.

Notably, the class only consists of Illinois citizens who had their data collected by Snap in the state of Illinois.  The restricted class skirts some of the more pressing jurisdiction issues that continue to percolate around BIPA (e.g., can nonresidents sue for collection that occurs in Illinois? Can Illinois residents sue for collection that occurs outside of Illinois?). Another critical aspect of BIPA that is not discussed, which the Illinois Supreme Court is still set to address, is whether to calculate penalties per individual or per collection per individual (i.e., does an entity accrue a violation each time it uses technology to capture an individual’s biometrics, or each time it captures each individual’s biometrics even if it does so multiple times for each individual). This distinction can dramatically alter the damage calculation in any BIPA suit.

Our Take

Over retention and lack or disclosures about retention continues to be the sleeper hit of privacy law.  Several regulators have already issued fines (see this or that).  In addition, the CCPA lists retention as a specific disclosure companies need to be making in their privacy policy.  Now, BIPA seemingly gives consumers the right to sue for a failure to adequately disclose information about how biometric data is disclosed, retained, and ultimately destroyed.  Moreover, true Privacy-by-Design, which statutes like CCPA and GDPR champion, requires management of the entire life-cycle of the personal information and necessitates retention-by-design and disposition-by-design.