• by Wendy Davis  @wendyndavis, October 21, 2022

Microsoft and Amazon defeated a class-action complaint claiming the companies violated an Illinois biometric privacy law by allegedly amassing a database of faceprints.

In a ruling issued this week, U.S. District Court Judge James Robart in Seattle said Microsoft did not engage in the kind of conduct in Illinois that would subject the company to that state's law.

Robart also dismissed the claims against Amazon, but that ruling is not yet public.

The decision comes in a lawsuit filed in 2002 by Illinois residents Steven Vance and Tim Janecyk. They alleged that the tech companies obtained a faceprint database from IBM, which reportedly acquired 100 million pictures from the photo-sharing service Flickr.

Amazon and Microsoft allegedly obtained the database in order to bolster their facial-recognition products and technologies, Vance and Janecyk alleged in class-action complaints against the companies.

Vance and Janecyk contended that the companies violated the Illinois Biometric Information Privacy Act, which requires companies to obtain consumers' written consent before collecting or storing certain biometric data -- including scans of facial geometry.

Both companies argued that any potential violation of the Illinois biometric privacy law occurred outside the state.

Amazon said researchers in the states of Washington and Georgia, but not Illinois, either downloaded or examined the faceprint database.

Those researchers ultimately found the data was “unsuitable for their research purposes,” and the database was never used, Amazon added in a motion for summary judgment.

Microsoft also said it did not download the alleged biometrics in Illinois, and had no reason to know that the faceprint database may have had links to Illinois residents' photos.

Microsoft said that the photos were unusable for research purposes, because they were low-quality and not the type of headshots used in a driver's license or passport.

The companies argued to Robart that it would be unconstitutional to allow Illinois lawmakers to regulate out-of-state activity, because only Congress can regulate interstate commerce.

Robart said in his ruling that even if Microsoft encrypted and stored the photos on a server in Illinois, any connection between the company and that state was “too attenuated and de minimis” to support a finding that the alleged violation occurred primarily in Illinois.