On May 11, 2022, a consent order was entered into following a settlement agreement between Clearview AI, the American Civil Liberties Union (“ACLU”), and other parties ending a two-year long lawsuit regarding Illinois’ Biometric Information Privacy Act, the nation's first biometric privacy law.
Background
Clearview AI (“Clearview”) is a facial recognition company, providing software to companies, law enforcement, and individuals. Clearview claims to have one of the largest databases of biometric information in the world, consisting of more than twenty billion images that it scraped from the Internet, including images posted on social media applications. Clearview’s primary customers have been law enforcement agencies who use Clearview’s database to identify individuals in surveillance footage but Clearview also sells access to its database to private companies. As an example, the retailer Macy’s is defending its own class action lawsuit alleging violations of privacy laws based on its use of Clearview’s database to identify shoplifters in surveillance footage.
In May 2020, the ACLU filed a lawsuit against Clearview AI on behalf of the ACLU, the ACLU of Illinois, Chicago Alliance against Sexual Exploitation, Sex Workers Outreach Project Chicago, Illinois Public Interest Research Group, and the Mujeres Latinas en Accion alleging a violation of the Illinois Biometric Information Privacy Act (“BIPA”).
Illinois’ Biometric Information Privacy Act
BIPA, passed in October 2008, is a comprehensive biometric privacy law that requires private entities that collect biometric information to obtain the data owner’s informed consent prior to collection, among other obligations. BIPA applies broadly to any private entity that operates or does business in Illinois, regardless of whether they are headquartered in Illinois or elsewhere, with limited industry-specific exceptions.
What Does It Require?
BIPA requires private entities engaging in the collection of biometric identifiers or information to:
- Maintain a written and publicly available policy outlining the retention and destruction policies for the data and describe the purpose for the collection of the biometric information.
- Obtain the informed consent of the data owner prior to any collection, capture, purchase, receipt by trade, or procurement generally of biometric information.
- Refrain from selling, leasing, trading, or otherwise profiting from biometric information.
- Obtain consent prior to the disclosure or dissemination of biometric information to third parties, unless disclosure is required to complete a transaction requested by the data owner or required by subpoena or law.
- Store, transmit, and protect the biometric information using reasonable standards of care in the entity’s particular industry and to the same or higher standard than for its own confidential information.
The Settlement
The settlement addressed Clearview’s alleged violations of the second obligation: obtaining informed consent from biometric information’s owners in Clearview’s database. In the settlement, while not admitting to any of the alleged violations, Clearview agreed to various temporary and permanent restrictions, including:
- Clearview agreed to permanently stop selling access to its database to any private entities nationwide (excluding law enforcement), subject to narrow exceptions contained in BIPA.
- Clearview agreed to stop selling access to its database to anyone in Illinois for five years, including both private and government entities such as law enforcement, and regardless of any exceptions in BIPA.
- Clearview agreed to create an opt-out process for all Illinois residents to remove their biometric information from Clearview’s database. For Illinois residents that choose to opt-out, Clearview agreed to block any search results including that individual and prevent any future collection of that individual’s photographs to the best of its ability.
In addition to the bans on selling access to its database, Clearview also agreed to delete all facial vectors in the database that existed prior to when Clearview ceased providing or selling access to private individuals or entities.
Takeaways
Clearview’s settlement demonstrates the need for businesses that use facial recognition technology to review their policies and procedures for compliance with privacy laws such as BIPA and other laws nationwide. For companies that conduct their business online, the settlement also demonstrates the national impact of privacy laws from individual states.
In addition to Illinois, many states have passed some form of biometric privacy law, including Texas, New York, California, and Washington, and in recent years more and more states have introduced biometric legislation.
Scrutiny of biometric privacy is not limited to the United States. In Europe, the United Kingdom’s Information Commissioner’s Office just announced that it has fined Clearview $9.4 million for violating U.K. privacy laws by collecting Britons’ biometric data without their knowledge or consent.
Octillo’s dedicated technologists and compliance attorneys routinely provide guidance on technology and privacy laws and are experienced in helping businesses adapt to the constantly evolving legal landscape.
*Attorney Advertising - prior results do not guarantee future outcomes.