Biometric Information Privacy ActFacial Recognition Company Enters into Settlement Agreement for Alleged Violations of Illinois’ Biometric Information Privacy Act

Facial Recognition Company Enters into Settlement Agreement for Alleged Violations of Illinois’ Biometric Information Privacy Act

On May 11, 2022, a consent order was entered into following a settlement agreement between Clearview AI, the American Civil Liberties Union (“ACLU”), and other parties ending a two-year long lawsuit regarding Illinois’ Biometric Information Privacy Act, the nation’s first biometric privacy law.



Clearview AI (“Clearview”) is a facial recognition company, providing software to companies, law enforcement, and individuals. Clearview claims to have one of the largest databases of biometric information in the world, consisting of more than twenty billion images that it scraped from the Internet, including images posted on social media applications. Clearview’s primary customers have been law enforcement agencies who use Clearview’s database to identify individuals in surveillance footage but Clearview also sells access to its database to private companies. As an example, the retailer Macy’s is defending its own class action lawsuit alleging violations of privacy laws based on its use of Clearview’s database to identify shoplifters in surveillance footage.

In May 2020, the ACLU filed a lawsuit against Clearview AI on behalf of the ACLU, the ACLU of Illinois, Chicago Alliance against Sexual Exploitation, Sex Workers Outreach Project Chicago, Illinois Public Interest Research Group, and the Mujeres Latinas en Accion alleging a violation of the Illinois Biometric Information Privacy Act (“BIPA”).


Illinois’ Biometric Information Privacy Act

BIPA, passed in October 2008, is a comprehensive biometric privacy law that requires private entities that collect biometric information to obtain the data owner’s informed consent prior to collection, among other obligations. BIPA applies broadly to any private entity that operates or does business in Illinois, regardless of whether they are headquartered in Illinois or elsewhere, with limited industry-specific exceptions.


What Does It Require?

BIPA requires private entities engaging in the collection of biometric identifiers or information to:

  1. Maintain a written and publicly available policy outlining the retention and destruction policies for the data and describe the purpose for the collection of the biometric information.
  2. Obtain the informed consent of the data owner prior to any collection, capture, purchase, receipt by trade, or procurement generally of biometric information.
  3. Refrain from selling, leasing, trading, or otherwise profiting from biometric information.
  4. Obtain consent prior to the disclosure or dissemination of biometric information to third parties, unless disclosure is required to complete a transaction requested by the data owner or required by subpoena or law.
  5. Store, transmit, and protect the biometric information using reasonable standards of care in the entity’s particular industry and to the same or higher standard than for its own confidential information.


The Settlement

The settlement addressed Clearview’s alleged violations of the second obligation: obtaining informed consent from biometric information’s owners in Clearview’s database.  In the settlement, while not admitting to any of the alleged violations, Clearview agreed to various temporary and permanent restrictions, including:

  • Clearview agreed to permanently stop selling access to its database to any private entities nationwide (excluding law enforcement), subject to narrow exceptions contained in BIPA.
  • Clearview agreed to stop selling access to its database to anyone in Illinois for five years, including both private and government entities such as law enforcement, and regardless of any exceptions in BIPA.
  • Clearview agreed to create an opt-out process for all Illinois residents to remove their biometric information from Clearview’s database. For Illinois residents that choose to opt-out, Clearview agreed to block any search results including that individual and prevent any future collection of that individual’s photographs to the best of its ability.

In addition to the bans on selling access to its database, Clearview also agreed to delete all facial vectors in the database that existed prior to when Clearview ceased providing or selling access to private individuals or entities.



Clearview’s settlement demonstrates the need for businesses that use facial recognition technology to review their policies and procedures for compliance with privacy laws such as BIPA and other laws nationwide. For companies that conduct their business online, the settlement also demonstrates the national impact of privacy laws from individual states.

In addition to Illinois, many states have passed some form of biometric privacy law, including Texas, New York, California, and Washington, and in recent years more and more states have introduced biometric legislation.

Scrutiny of biometric privacy is not limited to the United States. In Europe, the United Kingdom’s Information Commissioner’s Office just announced that it has fined Clearview $9.4 million for violating U.K. privacy laws by collecting Britons’ biometric data without their knowledge or consent.

Octillo’s dedicated technologists and compliance attorneys routinely provide guidance on technology and privacy laws and are experienced in helping businesses adapt to the constantly evolving legal landscape.

*Attorney Advertising – prior results do not guarantee future outcomes.

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

Force Majeure Contract Provisions Amid the COVID-19 Pandemic

As COVID-19 puts pressure on companies trying to comply with their contractual obligations, it is time to take a look at the provision that might excuse performance: the Force Majeure provision.  This provision works to excuse parties from performing their obligations when an unforeseen event occurs.  COVID-19 may fall right into the description of that unforeseen event, but whether a party can take advantage of performance excusal depends on the Force Majeure provision itself.  Given the ever-changing landscape around COVID-19,organizations may want to consider the following to understand what terms come into play for a Force Majeure event:

1.     Review Your Force Majeure Provision

What events are covered?

Look at the events listed in the Force Majeure provision.  Most Force Majeure provisions state that Force Majeure events occur when the event is “beyond the party’s control.”  If an organization is claiming Force Majeure, it should be prepared to make the argument that federal and state mandates pursuant to COVID-19 are beyond its control.  If specific events are listed in the provision, organizations should review whether the event aligns with COVID-19.  For example, “acts of God,” public health emergencies, epidemics, or pandemics maybe listed. It is worth noting in light of the COVID-19 pandemic that a virus/bacteria may be excluded if it is a contract for health-related services.

Are any events carved out?

Review whether any specific events are carved out of the provision.  Savvy contract drafters will carve out certain events that are more likely to impact performance for the specific services being provided to ensure the performance is not excused.

How is the event triggered?

The occurrence of Force Majeure events does not necessarily trigger the provision.  Some provisions may require formal declarations from federal or state entities declaring emergencies.  Organizations should evaluate whether the Force Majeure provision has any such prerequisites for excusing performance.

It is also possible that reactions to COVID-19 will greatly frustrate an organization’s performance,rather than making it so impossible that the performance is excused under a Force Majeure provision.  In these cases, there is no clear-cut answer of how to handle, so the parties will need to work together to come up with solutions that make complying with contractual obligations easier.

2.     Review Requirements for Claiming Force Majeure

The contract may include specific deadlines and notice requirements for claiming Force Majeure. Organizations should review the requirements for making such a claim to avoid missing the relevant window of time.

3.     Consider Contracts Being Currently Negotiated

If an organization is in the middle of negotiations for an agreement, it should review the Force Majeure provision and consider adjusting to contemplate complications arising from COVID-19.  The organization can also consider adding additional termination rights or longer periods for cure to combat further fallout from the virus.

Our Octillo Team continues to closely monitor the legal and business implications associated with the COVID-19 pandemic.  It is critical that companies align with experienced counsel to proactively assess their existing contractual obligations and the obligations of their counterparts.  The Octillo Team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for your business in the event coverage is needed.  

*Attorney Advertising: Prior Results Do Not Guarantee a Similar Outcome

Subscribe to our newsletter.

Important Privacy Developments in New York State

Important Privacy Developments in New York State

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.

As always, Octillo lawyers are available to assist in addressing any questions you may have regarding data security developments. Please feel free to contact us.

There are two important privacy developments in New York State that companies should take note of: the Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the New York Privacy Act (NYS5642).  If passed, these pieces of legislation will impose more stringent data security requirements on companies that collect information from New York residents.


Passed by the State’s legislature, the SHIELD Act updates New York’s general business law (GBL 899-aa) governing notification requirements, consumer data protection obligations, and broadens the Attorney General’s oversight regarding data breaches impacting New Yorkers.

Specifically, the Act purports to:

  • Expand the scope of information subject to the current data breach notification law to include biometric information, email addresses, and corresponding passwords or security questions and answers;  
  • Broaden the definition of a data breach to include unauthorized “access” to private information from the current “acquired” standard;
  • Apply the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State;  
  • Update the notification procedures companies and state entities must follow when there has been a breach of private information; and
  • Create reasonable data security requirements tailored to the size of a business.


Passed by the legislature, awaiting signature by the Governor. Additionally, amendments to the Act are currently pending. 

**Alert Update: The SHIELD Act has been signed into law, and is effective in New York State on March 22, 2020.


This bill, which has passed the Senate, was proposed by State Senator Thomas and is currently pending before the Senate Consumer Protection Committee. It has been compared to the General Data Protection Regulation and California Consumer Protection Act but differs in certain respects. Among other things, it purports to apply to most entities doing business in New York State, and includes those businesses outside the state that produce products or services targeted to NYS residents. Unlike the CCPA, there is no monetary or revenue threshold that must first be met to be included in the Act’s jurisdictional scope. 

This Act governs (and in some instances, limits) the collection and use of personal data by those entities. It requires consent, provides for certain data subject rights (correction, deletion), and includes a private right of action against companies processing jurisdictional PD. The bill does purport to exempt from its reach data sets governed by HIPPA/HITECH.


Pending in Senate Consumer Protection Committee.  


This bill is likely to pass the Senate.  However, as there is no same-as bill in the Assembly, the bill likely will not be passed this session. That said, it is a priority bill for Sen. Thomas and we expect more pressure next year to pass it.

Octillo Law PLLC continues to monitor privacy bills and regulations pending in New York State, including:

  • Proposed NYS Biometric Privacy Act;
  • Department of Financial Services regulations impacting credit reporting agencies;
  • New York Department of State Emergency Regulations on Identify Theft prevention and mitigation;
  • Proposed legislation relating to the New York State Cyber Security Advisory Board, a Cyber Security Action Plan for the State, and Periodic Cyber Security Reports.

Have questions? Our team at Octillo is uniquely positioned to advise on emerging privacy laws at both the state and national level. Contact us today for a consultation.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Wooden mazeEvolving Privacy Paradigms

Evolving Privacy Paradigms

Privacy paradigms all over the world are quickly evolving, starting with the European Union’s adoption of the General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law, India’s pending Personal Data Protection Bill, and California’s just-passed Consumer Privacy Act. While the specifics vary, the international trend in adopting a comprehensive privacy law to govern all sectors, industries and emerging technologies remains. What’s more, the international paradigm is shifting away from a US-backed view of personal data as a commodity, and towards the EU’s view of personal data as an extension of self, with a range of human rights implications for data subjects. From the right to notice, access and correction to the right to portability and even erasure, companies subject to international privacy laws must have processes in place to identify personally identifiable information and respond expeditiously to the requests of individuals.

Depending on past data practices, businesses may also be faced with legacy archives of personal data now subject to international regulation. Inventorying your company’s data archives, classifying that data based on its content and sensitivity, and processing or destroying it appropriately are all necessary steps that businesses will need to take in the near term. Businesses should also consider whether de-identification and anonymization of personally identifiable information provides an avenue to avoid the strictures of some of these international privacy regimes.

To successfully operate in a multi-jurisdictional world businesses must appreciate the evolving privacy paradigms currently in play and adapt to them within the requisite time frames. With penalties nearing 4% of annual worldwide revenues for the GDPR, compliance is key. Octillo attorneys know the difference between being in compliance with privacy laws, and being able to demonstrate that compliance to the satisfaction of a national or international regulator. Call experienced counsel on whether and how your company can comply with the GDPR or national and international privacy laws.

DISCLAIMER: This client advisory is for general information purposes only. It does not constitute legal advice, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought.