Siding against Apple, a federal judge has refused to dismiss a lawsuit alleging that the company's Photos app violates an Illinois biometric privacy law that restricts companies from collecting “faceprints.”
The ruling stems from a class-action complaint brought in March by Roslyn Hazlitt and several other Illinois residents who alleged that Apple was violating the Illinois Biometric Privacy Information Act.
That law requires companies to obtain consumers' written consent before collecting or storing certain biometric data -- including scans of facial geometry -- and provides for damages of up to $5,000 per violation.
Hazlitt and the others alleged that since 2016, Apple devices -- including some iPhones, iPads and Macs -- have collected biometric data through the Photos App, which incorporates facial recognition technology.
The complaint alleges that Apple extracts biometric data from users' images, creates facial templates, and then “uses facial recognition algorithms to analyze digital photographs stored on its devices and automatically group photographs into albums based on whether a person’s face is in the photograph.”
The information is allegedly stored on users' devices, which the Illinois residents say creates a security risk.
“The durability of the memory in Apple devices creates a nearly permanent risk of a data breach of biometric identifiers and information,” Hazlitt and the others claim.
Apple urged U.S. District Court Judge Nancy Rosenstengel in the Southern District of Illinois to dismiss the lawsuit at an early stage for several reasons. Among others, the company said that even if the allegations were true, the faceprints generated by its software wouldn't be “identifiers” because they're anonymous, unless users attach names to the photo subjects.
Rosenstengel rejected that argument, ruling that Apple's definition of “identifier” is too narrow.
Apple also argues the complaint should be dismissed because Hazlitt and the others don't allege that the faceprints were “collected” by the company.
“The plaintiffs own and control the devices and the physical media which run the processes and generate the alleged scans of face geometry,” Apple said in a motion filed in June. “The plaintiffs have the unfettered choice to erase any or all data stored on their devices. Only the plaintiffs know the identities of the people in their photos.”
The judge rejected those arguments, at least for now.
“Apple sells devices directly to customers and, if what plaintiffs allege is true, collects the biometric data into a facial recognition database on the device that Apple alone can access,” Rosenstengel wrote in a ruling issued late last week.
She added: “Again, taking their allegations as true, plaintiffs plausibly allege that Apple collected or possessed their data through the Photos app on their Apple devices, and that Apple alone can access the data stored within an internal database on their devices.”