Amazon must face claims that it violated an Illinois biometric privacy law by providing cloud services to gaming company Take-Two Interactive, which allegedly lets users upload their photos in order to create avatars, a federal judge ruled Tuesday.
The ruling, issued by U.S. District Court Judge Rita Lin in Seattle, adopts a recommendation issued in May by U.S. Magistrate Judge Michelle Peterson. Lin's written opinion spelling out her reasoning isn't yet publicly available.
Lin's ruling comes in a battle dating to 2021, when Illinois resident Ann Mayhall alleged in a class-action complaint that her 16-year-old son purchased the XBox One game NBA 2K21, and used Take-Two's “face scan” feature to take photos of his face. Those photos were then used to create a custom player with the teen's face, according to the lawsuit.
advertisement
advertisement
Mayhall claimed that Amazon violated the Illinois Biometric Information Privacy Act, which requires businesses to obtain people's written consent before collecting biometric identifiers -- including scans of face geometry.
Mayhall's son, Dominic Mayhall, who turned 18 after his mother sued, last year filed an amended complaint under his own name. That amended complaint alleged that Amazon obtained users' face geometry from Take-Two, transmitted the material through servers, and delivered it to online multiplayer game sessions.
Amazon urged Peterson to recommend that Mayhall's amended complaint be dismissed, arguing that even if the allegations were proven true, they wouldn't show that the company actually possessed gamers' biometric data. Amazon also argued that the Illinois law doesn't apply to passive cloud services providers.
Peterson sided against Amazon, writing in her May recommendation that Amazon and Amazon Web Services allegedly “knowingly obtained users’ face geometry data from Take-Two,” and retained the data on their servers.
Amazon subsequently urged Lin to reject Peterson's recommendation and dismiss the lawsuit, arguing that applying the Illinois biometric privacy law to providers of cloud services would “impose impossible burdens that would chill commerce.”
Extending the privacy law to cloud services providers would require them “to review the contents of trillions of customer files (including private, confidential, or even privileged communications) to try to determine if they contain alleged biometric data, an intrusion that is prohibited by [Amazon's] agreements with their customers and against public policy,” the company argued to Lin.
“That impossible undertaking has serious privacy and data-security implications,” Amazon added.
Lin is expected to publicly release a redacted version of her opinion by next week.