Clearview AI, an app creator that was the subject of a chilling New York Times exposé last month, was just hit with its third class action lawsuit. Clearview scraped images from social media websites to generate a face-recognition database, then licensed the app to law-enforcement and other entities.
Here are the three complaints:
- Mutnick v. Clearview AI, Inc., Case No. 1:20-cv-00512 (E.D. Ill., filed Jan. 22, 2020)
- Hall v. Clearview AI, Inc., Case No. 1:20-CV-00846 (E.D. Ill., filed Feb. 5, 2020)
- Calderon v. Clearview AI, Inc., Case No. 1:20-cv-01296 (S.D.N.Y., filed Feb. 13, 2020)
All three complaints allege a violation of Illinois’ first-in-the-nation biometric privacy law, the Illinois Biometric Information Privacy Act (BIPA) [740 ILCS 14/1 et seq.]
One cannot oversstate the importance of BIPA to tech companies that collect consumer data. Google was recently hit with a BIPA class action based on Google Photos’ face recognition technology, and Facebook recently settled a BIPA lawsuit for $550M. Indeed, every company engaged in face recognition, including every company to whom Clearview licensed its app, is potentially vulnerable to a BIPA suit.
Analyzing the lawsuits’ BIPA claims
The BIPA broadly prohibits companies from “obtain[ing] a person's … biometric identifier or biometric information” unless the company (1) tells the person in writing that their information is being stored or used, (2) identifies the “specific purpose and length of term” for which the data is being collected, and (3) obtains a written release. There is no evidence that Clearview complied with any of these requirements. Its conduct obviously qualifies as “obtaining” the data in question.
But that doesn't mean the plaintiffs have an easy path to victory. The critical stautory interpretation question is whether face images contained in publicly available photos constitute “biometric information” or “biometric identifiers” within the meaning of the statute. Clearview will (or should) argue that its conduct is outside the purview of the statute for two and possibly three reasons:
- BIPA expressly exempts “photographs” from its definition of “biometric identifier.” 740 ILCS 14/10.
- Although BIPA defines “biometric identifier” to include a “scan of hand or face geometry,” id., using machine learning to find identifying features in publicly available photos arguably does not amount to a “scan.”
- Depending on its technology's implementation details, Clearview might be able to argue that its face recognition technique relies on image features other than “face geometry.”
Other (non-BIPA) allegations
In addition to the BIPA violations, Mutnick alleges violations of the First, Fourth, and Fourteenth Amendments as well as the Contracts Clause. It also includes a claim for “expungement” of all class members’ data and records. Hall adds claims for conversion and for violation of the Illinois Consumer Fraud and Unfair Business Practices Act, 815 ILCS § 505/2. We will likely see the latter move replicated in other states with similar consumer protection statutes (notably California, which has a broad, plaintiff-friendly Unfair Competition Law [Cal. Civ. Code § 17200 et seq.]).
- Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq.
- The Secretive Company That Might End Privacy as We Know It, N.Y. Times (Jan. 18, 2020)
Ryan McCarl is a Fellow in Artificial Intelligence Law and Policy at the UCLA School of Law.