Mitek Systems, a provider of mobile and online identity verification, has been targeted by a class action lawsuit, accusing the company of digitally scanning users’ faces allegedly without first obtaining consent and providing certain notices required by Illinois’ biometrics privacy law.
On Dec. 16, attorneys with the firm of McGuire Law P.C., of Chicago, filed suit in Cook County Circuit Court against Mitek, which is based in San Diego.
The lawsuit was filed on behalf of named plaintiff Joshua Johnson, identified in the complaint only as a resident of Illinois.
According to the lawsuit, Johnson claims to have uploaded an image of his driver’s license and a selfie photograph of his face, to become a verified user of the HyreCar app. HyreCar is an online car rental company, and is purportedly one of the clients that uses Mitek’s systems to quickly and remotely onboard new users.
According to the complaint, Mitek’s systems then scanned the digital images of Johnson’s face, creating and storing a template of his facial geometry, to allow HyreCar to quickly recognize and verify Johnson’s identity later.
According to the complaint, Mitek’s sytems work similarly across the network of clients to whom the company provides similar customer identity verification services.
The complaint does not estimate how many such clients Mitek services globally, or in Illinois.
However, the complaint asserts Mitek provides such services to various clients operating in Illinois, without first obtaining consent from those clients’ customers, or providing those people with certain data retention schedules and notices, allegedly as required by the Illinois Biometric Information Privacy Act (BIPA.)
The complaint seeks to expand the action to include anyone who similarly uploaded their facial images to an online company which used Mitek’s systems to verify their identity.
At this point, plaintiffs said they estimate that class of additional plaintiffs could number at least in the hundreds.
The complaint asks the court to award damages allowed under the BIPA law, of $1,000-$5,000 per violation. Courts have interpreted the BIPA law to define individual violations as each time a person’s biometric identifier – in this case, facial geometry – is scanned.
Thus, under that interpretation, plaintiffs could seek to collect $1,000-$5,000 for each time an Illinois customer’s face may have been scanned by a Mitek verification system. Spread across hundreds of users, that total could easily run well into the millions of dollars.
Mitek, however, is just one of the latest companies targeted by such class actions under BIPA. In recent years, a growing cadre of plaintiffs’ lawyers have used the BIPA law to target businesses of many different types and sizes, from large tech companies to much smaller employers operating in Illinois.
The bulk of the thousands of such lawsuits filed since 2015 have targeted employers over identity-verifying fingerprint scans required of workers punching the clock in the workplace. But a growing number of BIPA class actions in more recent months have taken aim at companies using facial recognition systems, either to boost security, track workers, verify identity or help customers purchase eyewear and cosmetics from home.
Courts have also, to this point, routinely shot down attempts by businesses to defeat such lawsuits or even relieve some of the risk of potentially crippling payouts. That has set the stage for a recent swath of settlements, running from the hundreds of thousands of dollars to as much as $25 million.
Plaintiffs in the Mitek action are represented by attorneys Eugene Y. Turin, Timothy P. Kingsbury, Andrew T. Heldut and Colin P. Buscarini, of McGuire Law.