An Illinois biometrics privacy law, which has been used to target employers across the state who require workers to scan fingerprints when punching the clock, has now been turned against a subsidiary of ecommerce giant Amazon, which provides cloud data hosting services for those employers and many other companies.
On Nov. 15, lawyers with the firm of McGuire Law P.C., of Chicago, filed a class action complaint against Amazon Web Services, accusing AWS of violating the Illinois Biometric Information Privacy Act.
The lawsuit specifically takes aim at storage AWS provides on its server network for employers and other “commercial customers” who have scanned and captured so-called biometric data from employees, customers and others.
“Defendant (AWS) stores a myriad of types of data on behalf of a wide range of customers spanning virtually every industry sector,” the complaint says. “Notably, Defendant (AWS) also offers cloud storage services for businesses that handle biometric identifiers and biometric information. For example, some of Defendant’s customers are commercial businesses that require their employees to provide their biometrics, e.g. fingerprints, to check in and out of their shifts at work.”
The lawsuit asserts AWS “converts this information into usable formats and mediums for its customers.”
The lawsuit was brought in the name of plaintiff Martin Ragsdale, who is identified only as a resident of Illinois. The complaint does not indicate which “commercial customer” of AWS Ragsdale worked for, nor when, nor how his biometric identifying information allegedly came to be stored by AWS.
The lawsuit opens a potential new front in the continuously mounting class action lawsuit campaign by a cadre of Illinois trial lawyers under the BIPA law.
In recent years, the 2008 law has been used to target tech titans like Facebook and Google over photo tagging and facial recognition programs. But it has primarily been focused against employers of all sizes and across a spectrum of industries, who require workers to scan fingerprints or other biometric identifiers to establish their identity when punching a time clock for work shifts or when accessing secured or sensitive areas, like locked-down rail yards or drug storage closets at hospitals.
However, in more recent months, the lawyers have begun to turn their attention toward larger, more consolidated targets, including the vendors that provide payroll and timeclock services and technology, such as Kronos, ADP and Ceridian, among others.
Currently, hundreds of BIPA-related lawsuits are pending in Cook County and other courts in Illinois and elsewhere, with businesses facing potentially crippling damage awards estimated to be worth millions or even billions of dollars.
In this new case, damages against AWS could be vast, as AWS currently holds nearly half of all public cloud infrastructure in the world, according to a report released earlier this year by research and advisory company Gartner Inc.
The complaint accuses AWS of violating the BIPA law by not obtaining written consent from Ragsdale and others before “obtaining and storing his biometrics,” and by not informing Ragsdale and others of how the information would be stored, used, shared and ultimately destroyed.
The lawsuit seeks damages of $1,000-$5,000 per violation, which some observers and parties in litigation under BIPA-related cases have said could be defined as each time a worker or other person scans a fingerprint or other biometric identifier.
The lawsuit seeks to expand the action to include everyone in Illinois “whose biometric identifiers or biometric information was stored” by AWS “on behalf of a third-party.”