Global Mindset. Local Instinct.

Costly Lessons from TikTok and Facebook Biometric Privacy Class Action Settlements

by | Mar 29, 2021 | Business & Commercial Law, Greater China Practice

Companies are facing increased scrutiny of their use of biometric data — such as fingerprint scans, facial recognition, and voice recognition to name a few. In the past two years in particular, the number of biometric privacy class action lawsuits filed in the U.S. has skyrocketed.

Many of these lawsuits have been brought under the Biometric Information Privacy Act (BIPA) of Illinois, the first U.S. law and the most stringent of its kind to specifically regulate the collection and use of biometric data.

Adopted by the Illinois state legislature in 2008, BIPA applies to biometric identifiers defined as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and information based on such biometric identifiers used to identify an individual (collectively “biometric data”).

The law places several limitations on how a company may handle biometric data including:

  • Obtaining proper consent before collecting and disclosing biometric data
  • Refraining from profiting from biometric data
  • Developing a publicly available written policy on the retention and deletion of biometric data
  • Using reasonable standards of care as applicable to the company’s industry in handling biometric data

Facebook and TikTok Reached Multimillion-Dollar Settlements for Alleged BIPA Violations 

BIPA litigation continues to make national and international headlines. Recent high-profile cases include class action claims filed against major tech companies such as Facebook and TikTok and resulted in multimillion dollars of settlements.

Last month, the short-video sharing app, TikTok, agreed to pay $92 million to settle the class action lawsuit for improperly collecting users’ biometric data in violation of BIPA.

The settlement arises out of 21 separate federal privacy lawsuits against TikTok (and its China-based parent company ByteDance) filed in California and Illinois that were later consolidated as one class action and transferred to the U.S. District Court for the Northern District of Illinois.

The consolidated class action complaint alleges that TikTok collects biometric data (face templates and voiceprints) from its users without first obtaining users’ consent and uses biometric data to profile its users for unlawful purposes such as ad targeting and profit.

In an early biometric privacy case against Facebook, the company paid $650 million to resolve the class action claims arising out of its uses of facial recognition technologies on the photos that its users upload to its website, allegedly also without first obtaining consent from its users.

Notably, the $650 million settlement, one of the largest privacy settlements in U.S. history, was reached after five years of hotly contested litigation and intensive discovery, including an appeal to the U.S. Court of Appeals for the Ninth Circuit and a petition for a certiorari to the U.S. Supreme Court.

The TikTok settlement, which is currently awaiting court approval, was reached earlier on — after more than a year of litigation. As noted in the settlement proposal, this settlement was reached, in part, to avoid “embarking on years of protracted and uncertain litigation”.

BIPA Class Action Lawsuits Will Continue to Multiply in the Coming Years

As for now, BIPA is the only U.S. biometric privacy law that allows private individuals (as opposed to state AGs) to directly file lawsuits for damages stemming from a biometric privacy violation.

BIPA allows harmed individuals to seek statutory damages of $1,000 per negligent violation and $5,000 per reckless or intentional violation (or actual damages if the number is greater), along with attorney’s fees and litigation expenses.

Furthermore, since 2019, a few U.S. courts, notably the Illinois Supreme Court, the Seventh Circuit and the Ninth Circuit, have allowed BIPA cases to proceed solely based on a violation of the statute itself, regardless of whether such violation has caused any real damage (e.g. monetary damage) beyond intruding upon a person’s privacy right.

These plaintiff-favorable judicial decisions, coupled with the availability of the private right of action and per-violation based statutory damages, have led to a sharp increase of BIPA class action lawsuits filed in the past two years. It is expected that BIPA class action lawsuits will continue to multiply in the coming years.

Suggestions for Companies Handling Biometric Data

Companies that routinely handle biometric data need to carefully assess their potential exposure to BIPA litigation and take all necessary steps to minimize the risks of becoming embroiled in this type of litigation.

As the multimillion-dollar settlements involving TikTok and Facebook illustrate, failure to comply with BIPA carry severe consequences, as BIPA violations carry hefty statutory penalties that could potentially translate into large settlement amounts.

It is also worth pointing out that, although being a more than a decade-old law, BIPA has become a popular tool to pursue privacy class action lawsuits only in recent years. This means BIPA still leaves many fundamental questions open for the courts to resolve, including issues related to its scope and applicability.

As many BIPA cases are settled outside of the courtroom, it remains to be seen when and how case law in this emerging area will develop and become more settled.  This means not only could BIPA litigation take years to resolve, but it also involves novel and evolving issues that add to the litigation uncertainties.

Furthermore, the coming years will continue to see class action lawsuits filed under BIPA due to class action plaintiff’s ability to seek high statutory damages with low threshold of proof. As such, it is advisable that companies with exposure to BIPA work with legal counsel to evaluate whether their current compliance policies comply with the BIPA requirements.

Lastly, BIPA is not the only U.S. biometric privacy law that a company has to worry about. Other states, such as Texas, Washington and California, have also passed laws to address the use and collection of biometric data. As biometric data are increasingly collected and/or used by companies, more states, and even the federal government, may enact laws to regulate biometric data. Companies are thus advised to keep abreast of the latest developments in biometric regulations as well as case law in this area.

 

美国数据合规:从脸书和TikTok生物数据隐私集体诉讼案看“刷脸”背后的法律风险

近年来,在美企业因为使用生物识别技术(如指纹识别、人脸识别和声音识别技术等)而面临越来越多的社会争议及诉讼风险。尤其在过去两年间,在美提起的涉及生物识别信息隐私侵权的集体诉讼案件数量急剧上升, 其中大量案件援引了美国伊利诺伊州《生物识别信息隐私法案》(BIPA)。

BIPA是美国第一部专门针对生物识别数据的采集和使用进行规制的法律,也是同类法律中最为严格的。

BIPA于2008年颁布,适用于生物标识,即视网膜或虹膜扫描图、指纹、声纹、手或脸的几何扫描图形,以及基于生物标识可识别特定个人的信息(下文统称“生物识别信息”)。

针对生物识别信息,BIPA对相关企业提出下述要求:

  • 在收集及披露生物识别信息前征得信息主体的同意
  • 不得通过生物识别信息牟利
  • 针对生物识别信息的留存、销毁制定并发布相关的书面政策
  • 谨慎处理生物识别信息,应至少遵照企业所在行业的安全标准

科技巨头身陷生物特征隐私集体诉讼,和解金额或以亿计

生物特征隐私诉讼近日频频登上美国国内及国际新闻的头条,其中针对科技巨头公司的隐私集体诉讼备受外界关注,在相关案件中,针对涉嫌侵犯用户隐私的行为,涉事科技企业往往愿意支付高额的和解金。

就在上月, TikTok(抖音短视频国际版)同意支付9200万美元以针对因涉嫌非法采集用户生物识别信息而提起的集体诉讼达成和解。

该隐私诉讼案起源于TikTok用户自2019年起在加州和伊利诺伊州联邦法院陆续提起的21起独立的集体诉讼案,这些集体诉讼案后续被合并为一起集体诉讼案并由伊利诺伊州北区联邦地区法院统一进行审理。

诉状称TikTok在未事先征得用户同意的情况下便收集了用户的生物识别数据(包括面部数据及语音信息)并且利用相关数据对用户偏好进行分析,用于投放定向广告和盈利等非法目的。

早先,在另一起针对社交网站脸书(Facebook)的生物识别信息集体诉讼案中,用户诉称脸书未经允许擅自利用人脸识别技术对用户上传到网站上的照片中的个人身份进行识别。

作为美国历史上最大的隐私和解案之一,脸书以高达6.5亿美元的巨额和解金达成和解。

之前,原被告双方在法庭激烈对抗了五年之久并且进行了多轮证据交换。该案也历经向第九巡回法院提出上诉以及向最高法院申请复审等程序。

而TikTok案的原被告在经过一年多的诉讼后便敲定了和解方案,目前该和解方案正等待联邦法院批准。相关和解文件指出,双方之所以达成和解的部分原因就是为了避免“陷入多年旷日持久和充满不确定性的诉讼”。

预计未来几年内BIPA集体诉讼案将仍继续呈倍增长

到目前为止,BIPA是美国唯一允许个人直接向企业就侵犯生物特征隐私提起诉讼并寻求损害赔偿的的法律(其他州仅允许州检察长提起相关诉讼)。

根据BIPA规定,违法企业针对每起过失违法行为赔偿1000美元,针对每起故意或放任违法行为赔偿5000美元(如实际损失较大,也可根据实际损失进行赔偿),个人也可要求违法企业承担律师费及诉讼费。

根据自2019年以来发布的美国法院判例,尤其是来自伊利诺伊州最高法院以及联邦第七、第九巡回上诉法院的相关法院判例,BIPA案件中的原告在寻求法定赔偿时只需证明其隐私权受到了侵害(如企业未经同意采集面部信息),而并不需要证明相关侵权行为是否对其造成了实际损害(如侵权行为是否造成金钱损失)。

随着上述对原告有利的判例的发布,并且BIPA本身就允许个人就每次违反隐私权的行为寻求法定赔偿金,导致在过去两年间基于BIPA提出的隐私集体诉讼案件数量急剧上升。预计在未来几年内该领域的集体诉讼还将继续成倍增长。

对相关企业的建议

笔者建议经常处理生物识别信息的企业仔细评估其面临的BIPA诉讼风险并采取一切必要措施以尽量避免卷入此类诉讼。

如上文所述,TikTok和脸书针对生物识别信息隐私集体诉讼达成的和解金额高达千万甚至上亿美元,显然违反BIPA将会带来严重的法律后果。由于企业需要针对每次违法行为支付1000到5000美元不等的法定赔偿金,这意味着集体诉讼的和解金额通常不会太低。

另外值得一提的是,尽管BIPA已经存在了十多年,但在最近几年该法律才被广泛用于隐私集体诉讼,因此BIPA仍有许多基本问题(包括其适用范围)需要美国法院作出进一步的释明。

由于目前许多BIPA案件以庭外和解告终,因此这一新兴领域的判例法将如何发展还有待观察,这也意味着,对涉事企业而言,除了面临耗时数年的诉讼之外,围绕生物识别信息这一新兴领域开展的诉讼将充满着不确定性。

并且,鉴于高额的法定赔偿金加上较低的举证门槛,笔者预计未来几年内还将继续看到根据BIPA提起的集体诉讼,因此相关企业应该积极与专业律师合作,以评估其当前的合规政策是否符合BIPA的要求。

最后,BIPA并不是美国唯一的生物识别隐私法,德克萨斯州、华盛顿州和加利福尼亚州等州也通过了类似的法律(尽管这些州尚不允许个人直接向企业提起诉讼)。随着生物识别数据被越来越多的公司采集和使用,更多的州政府甚至联邦政府都可能会出台相应的法律以针对生物识别技术相关领域进行监管,故而笔者建议相关公司应持续关注生物识别信息领域法规的最新立法及司法动向。