Online ID verification provider Jumio has been hit with yet another class action lawsuit under Illinois’ biometrics privacy law, as plaintiffs assert the company has continued to improperly scan the faces of Illinois customers after signing a $7 million settlement in mid-2020 to end similar claims in a similar lawsuit under the same law.
On Jan. 12, attorneys with the firm of Edelson PC, of Chicago, filed suit in Cook County Circuit Court against Jumio, headquartered in Palo Alto, California.
The complaint focuses on Jumio’s use of facial recognition technology in software it provides to help other companies, who operate apps and platforms used by consumers, verify the identities of their customers.
J. Eli Wade-Scott
| Edelson P.C.
According to Jumio’s website, the company provides ID verification services to a wide range of online providers, including Equifax, Microsoft, Oracle and many others engaged in banking, finance, gaming, fraud protection and online security, among other services.
This new lawsuit was brought on behalf of named plaintiff Cory Davis, identified as a resident of Cook County, who allegedly used Jumio to verify his identity when he signed up to use the cryptocurrency trading app, Binance.
According to the complaint, Davis, like other Binance users, was required to upload photos of his drivers license, and then take and upload a selfie photo, to prove his identity before he could buy, sell or store cryptocurrency on Binance.
The complaint asserts Jumio then scanned those images, and created and stored a template of Davis’ facial geometry, which Binance could then use to again verify Davis’ identity when he logged on in the future to conduct more business on the app.
The lawsuit does not name Binance or any other company as defendants.
While recognizing the commercial need for identify verification services, the lawsuit claims Jumio violated the Illinois Biometric Information Privacy Act by scanning and storing the facial images without first securing written consent from Davis and other users, and without providing certain notices concerning how the data would be stored, used, shared and ultimately destroyed, as allegedly required by the BIPA law.
While on the books since 2008, the BIPA law has been used by a growing cadre of plaintiffs’ lawyers, including the Edelson firm, to target businesses of many different types and sizes, from large tech companies to much smaller employers operating in Illinois.
The bulk of the thousands of such lawsuits filed since 2015 have targeted employers over identity-verifying fingerprint scans required of workers punching the clock in the workplace. But a growing number of BIPA class actions in more recent months have taken aim at companies using facial recognition systems, either to boost security, track workers, verify identity or help customers purchase eyewear and cosmetics from home.
The potential payoffs to such class actions can be significant.
Under the law, plaintiffs can demand damages of $1,000-$5,000 per violation. Courts have interpreted the law to define individual violations as each time a company or program scans a person’s biometric identifiers, like fingerprints or facial geometry.
Courts have also, to this point, routinely shot down attempts by businesses to defeat such lawsuits or even relieve some of the risk of potentially crippling payouts. That has set the stage for a recent swath of settlements, running from the hundreds of thousands of dollars to as much as $25 million or much more.
Facebook, for instance, settled claims against it, over its photo tagging systems, for $650 million.
Jumio has also been sued previously under BIPA, and settled.
In 2020, lawyers with the Chicago firm of McGuire Law P.C., walked away with more than $2.8 million in fees from a $7 million settlement deal. The firm had filed suit in 2019, also in Cook County court, on behalf of a class of people who had used Jumio and allegedly also had their faces scanned from December 2013 to December 2019.
In the new complaint, the Edelson lawyers specifically reference that settlement. But they assert Jumio did not alter its policies or behavior, which, they said, has spurred the new lawsuit and demands for another payout from Jumio.
“… Jumio failed to address these concerns, and it continues to collect, store, and use consumers’ biometric data in violation of BIPA by using facial recognition technology,” the plaintiffs said.
“… Despite BIPA being in force for over a decade and Jumio being bound by a prior settlement agreement to quickly bring itself into compliance with the law, Jumio persists to this day in violating BIPA through the operation of its biometric identification service.”
The lawsuit seeks to expand the action include everyone in Illinois who has used Jumio to verify their identity when using an online service. The complaint does not specifically limit the class to only those who used Jumio since December 2019.
However, the complaint says the class would exclude anyone “whose claims in this matter have been finally adjudicated or otherwise released.”
As in the previous lawsuit, plaintiffs are seeking damages of up to $5,000 per violation. The complaint asserts there are at least hundreds of people who could be included in the class action.
Plaintiffs are represented in the action by attorneys J. Eli Wade-Scott and Schuyler Ufkes, of the Edelson firm.