Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state's Biometric Information Privacy Act ("BIPA") through its use of PhotoDNA software to create "hashes" of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).

BIPA prohibits private entities from collecting or capturing "a person's or a customer's biometric identifier or biometric information" without first obtaining the subject's informed consent, among other requirements. 740 ILCS 14/15(b). BIPA defines "biometric identifier" as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry" and defines "biometric information" as any information "based on an individual's biometric identifier used to identify an individual." 740 ILCS 14/10.

In dismissing the complaint, the court agreed with X's arguments that Plaintiff failed to plausibly allege (1) that the PhotoDNA software collects scans of facial geometry and (2) that the hashes identified photo subjects. First, the court rejected Plaintiff's "conclusory" assertion that the creation of a hash from a photo that includes a person's face "necessitates" creating a scan of facial geometry, saying, "The fact that PhotoDNA creates a unique hash for each photo does not necessarily imply that it is scanning for an individual's facial geometry when creating the hash." Id. at *2. The court distinguished Plaintiff's allegation from those that withstood dismissal in a different case in which the plaintiff alleged that scans of photos "located her face and zeroed in on its unique contours to create a 'template' that maps and records her distinct facial measurements." Id. at 3 (quoting Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1091 (N.D. Ill. 2017)).

Second, and importantly, the court agreed with X that the complaint did not allege that the hashes could be used to identify individuals in photos and therefore were not biometric identifiers. It rejected Plaintiff's argument that "BIPA does not require that biometric identifiers be used to identify an individual because, unlike the definition for biometric information, the definition for biometric identifier does not include the 'used to identify an individual' language.'" Id. at *3.

Considering the plain language of the term "biometric identifier," dictionary definitions of "identifier," and case law, the court held that in order to qualify as a biometric identifier, a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry must identify an individual. The court reasoned that otherwise, "it would contravene the very purpose of BIPA," asking, "If a face geometry scan could not identify an individual, how could a business provide the individual with notice and obtain their consent?" Id. This decision may guide other courts to narrowly construe the term "biometric identifier" and highlights the importance of future BIPA defendants considering arguments that particular scans or data may not qualify as biometric identifiers if they do not identify specific individuals.