Since 2015, thousands of class action lawsuits, potentially worth many millions of dollars apiece, have been aimed at businesses in Illinois under the state's stringent biometrics privacy law.
But few, if any, have ever met with as quick - and easy - of a demise as the ill-fated class action lawsuit against ID verification scanning tech vendor FaceTec.
The lawsuit, filed early last December in Cook County Circuit Court, was quite similar to any of the thousands filed against other companies under the law known as the Illinois Biometric Information Privacy Act.
Gerald Maatman
| Duane Morris
The lawsuit contended Las Vegas-based FaceTec violated the BIPA law by allegedly failing to obtain consent from customers, and by allegedly failing to provide BIPA law notices explaining the need to scan visitor faces and how the company might use the stored facial scans, before scanning customers' faces. The suit was dismissed March 7.
“We had been following (BIPA) because it’s a big concern in the industry and we knew at some point someone was going to come after us,” said Terry Coffing, FaceTec's chief legal officer.
Founded in 2013, FaceTec describes itself as a world leader in 3D "real-time" facial scanning. The company has provided face scanning software and services used by dating app Tinder and a wide variety of other online services to verify the identity of their users.
After being served with the lawsuit, FaceTec sent the plaintiff’s firm, McGuire Law P.C., of Chicago, a detailed analysis explaining how its software is different compared to the other companies being sued under BIPA.
McGuire Law has been a prolific filer of BIPA-related litigation in recent years, ranking among the leading plaintiffs' firms in BIPA litigation.
But Coffing said, in this case, the lawsuit's standard BIPA claims did not adequately account for the actual nature of FaceTec's tech.
“All of our software runs behinds our client’s firewall. FaceTec never receives any biometric information, so that is a huge differentiator in the business. Most of the people that are getting in trouble they collect the biometrics, they send it someplace for processing and they come back with results. We don’t do that. Everything happens on the server side of our clients’ so it’s totally secure. Unphishable,” Coffing said.
“We don’t become a target for anyone. Once we pointed out how different we were, and pointed out in the statute that we really aren’t covered under the statute they abided by their legal and ethical obligations and dismissed the case.”
Attorney Gerald Maatman, of the firm of Duane Morris, of Chicago, served as lead defense counsel on FaceTec’s case. Maatman has defended dozens of BIPA class actions over the last seven years.
Maatman said they approached the FaceTec case by demonstrating to the plaintff’s counsel they didn’t understand how the software worked and didn’t understand the software did not implicate the law, he said.
“I think that is happening more and more as plaintiffs begin to utilize BIPA in a very creative, innovative way, and sometimes they stretch it a little too far when shown they can’t advance a viable theory,” Maatman said.
Other companies could benefit from understanding that approach, Maatman said. They can defend the case before it gets to the courthouse and undertake efforts to show there’s too many impediments to the lawsuit.
“It was a big day for us,” Coffing said. “I think a lot of people have taken notice and a lot of people have started to ask themselves, ‘Why am I sending my information overseas?’”
For the industry, Coffing said companies have to rethink how they’re approaching biometrics.
He said tech giant Apple "does a very good job" because with their hardware, the data "never leaves your device and it’s not attractive to anyone."
“But all these other companies that are using third-party processors, I don’t care what encryption you use, if you’re sending personal identifiable information or biometric information largely overseas you’re just paying for trouble. And we’ve seen it. We’ve seen lots of security breaches out there," Coffing said.
Coffing said the industry and government have started to take notice and are having to rethink how they do things, which is necessary, he said, because biometrics are here to stay.
“Once they figure out how to secure it properly then that’ll be a big sea change in the industry," Coffing said. "Candidly, it’s going to put a lot of people out of business. Only the ones that get it are going to be the ones left standing and we like to think that we’re one of those.”
BIO-key International, a provider of workforce and customer identity and access management solutions, was faced with a similarly misguided BIPA class action lawsuit a few years ago related to its product line of consumer fingerprint padlocks. The complaint claimed that “when the plaintiff enrolled his fingerprint into the padlock (that he had purchased from Best Buy), BIO-key obtained his fingerprint without informed consent."
“This sleight of hand attempted to re-insert BIO-key into the ownership of a product that had been sold into the stream of commerce and was 100% the property of the plaintiff,” said Jim Sullivan, senior vice president of strategy and compliance and chief legal officer. “Like FaceTec, BIO-key wasn't obtaining fingerprints, but we took a different approach than FaceTec.”
BIO-key’s approach was to expose the false claim in the complaint, he said, and notice the plaintiff’s attorney to revise it or be subject to Rule 137 Sanctions in Illinois, which closely track Federal Rule of Civil Procedure 11 that provides a district court may sanction attorneys or parties who submit pleadings for an improper purpose or that contain frivolous arguments or arguments that have no evidentiary support. Rule 137 requires that attorneys conduct reasonable inquiry into the facts of all filings, or be subject to sanctions. Its case was dismissed within a week of filing.
To provide a product for its customers with privacy and compliancy, BIO-key built into its product ironclad processes and workflows that make sure that when someone is going to enroll in BIO-key, for example as part of their biometric implementation, that they’re going to go through a consent workflow or they will not get enrolled, Sullivan said.
“That customer can tell any plaintiff that comes stiffing around look who we’re using, look at how it works. They can’t get in there if they didn’t go through consent whereas it seems like with a lot of products they simply say, ‘Just make sure you get consent and store it somewhere else in the world.’ We’re making it so that it’s actually stored with the enrollment, the text of the consent they gave and just that workflow from an evidentiary point of view says these people can’t be in the database if they didn’t give consent.”
The consent includes the disclosure of how the data will be used and how long it will be kept.
“If I had to get message across touting how you do it right, I believe you can build products that ensure processes are followed, that customers and what I call the innocent users of the technology don’t have to become legal experts to avoid falling victim as we’ve seen over and over again," Sullivan said.