Illinois Court Issues Decision on Biometric Data Collection by Amazon
On October 31, 2023, the U.S. District Court for the Northern District of Illinois issued a decision regarding the way a private entity has to notify data subjects before collecting their biometric data.
The decision comes following a privacy class action known as Wilcosky, et al. v. Amazon.com, Inc., et al., No. 19-CV-5061, where several individuals claimed that Amazon’s AI, Alexa, a digital assistant for Amazon’s services that is voice operated, was not compliant with Illinois’ Biometric Information Privacy Act (BIPA), specifically, points 15 (b), (c), (d) of the law.
According to these points,
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first:
(1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored;
(2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
(3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless:
(1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure;
(2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative;
(3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or
(4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
In particular, the Court reviewed Amazon’s Voice ID feature, which is something users have to enroll into, or opt in, by navigating to a screen where they are notified that this feature “enables Alexa to learn your voice, recognize you when you speak to any of your Alexa devices, and provide enhanced personalization.” The same screen displays at the bottom a hyperlink to the Terms of Use where users are informed that Voice ID “uses recordings of your voice to create an acoustic model of your voice characteristics.” Before completing this process of opting into the use of the Voice ID feature, a user has to agree to the terms of use and provide their authorization for “the creation, use, improvement, and storage” of his or her Voice ID by tapping an “Agree and Continue” button.
In addition, plaintiffs have claimed that while only one member of a household has gone through the process of onboarding and provided consent for data collection, storage and processing, information of another household member was collected as well, even though they never provided their consent. Amazon argued that those who had enrolled into Voice ID received the required notice and provided their written consent by completing the processes of feature activation and agreeing to terms of data processing.
Additionally, it was alleged that “Amazon disclosed, redisclosed, or disseminated” their biometric data, and as such it is in violation of this Section of BIPA. Same as with the previous point, Amazon moved to have this dismissed as it claimed that the plaintiffs cannot provide the actual details of the third parties with which it has allegedly shared their biometric data.
The Court’s decision on each of the 3 was as follows:
Section 15 (b)
- Although Amazon claimed that “its disclosures satisfy BIPA, as the disclosures explain how Voice ID works and that Voice ID creates an acoustic model of the Voice ID Plaintiffs’ voice characteristics,” The Court argued in favor of the plaintiffs that “these disclosures do not inform enrollees that Amazon would collect “biometric identifiers” or Voice ID Plaintiffs’ unique biometric information as defined by BIPA” and given that consent has to be informed, here this was not the case. Informed consent is at the heart of Section 15 (b) and the Court’s argument then is that “the text of the statute demonstrates that its purpose is to ensure that consumers understand, before providing their biometric data, how that information will be used, who will have access to it, and for how long it will be retained. Here, nowhere in its disclosures does Amazon inform an enrollee that it is collecting and capturing the enrollee’s voiceprint, a biometric identifier.”
- As regards the claim of Bloom Stebbins that her voiceprint was collected alongside that of her husband’s and used for identification purposes, the Court agrees that Amazon captured her voiceprint, even if only to compare her voice to that of husband’s. In using the wake word for Amazon’s Alexa without enrolling in Voice ID, Bloom Stebbins’s voice was “collected, captured, received through trade, or otherwise obtained and stored [...] without her consent,” regardless of the fact that this was done solely to identify whether the speaker was Jason Stebbins or someone else. Lastly, in answering Amazon’s claim that “Section 15(b) only applies where there is some relationship between a person and the entity collecting biometric information,” the Court argued that this requirement does not appear in the statute itself and that “courts cannot rewrite a statute to create new elements or limitations not included by the legislature.”
Section 15 (c)
- Although Amazon argued that the plaintiffs could not factually prove that Amazon had profited from the sale or transfer of their biometric data, the Court decided that “that Plaintiffs have plausibly alleged a Section 15(c) violation,” and that “contrary to Amazon’s suggestion, Plaintiffs are not required to plead evidence.”
Section 15 (d)
- the Court decided in favor of the plaintiffs here too. The plaintiffs alleged a violation of this Section and cited another BIPA case - Johnson v. NCR Corp. - where the Court reasoned that “plaintiffs need not specify the who, what, when, where, and how of the dissemination to meet Rule 8’s pleading requirements. Plaintiffs’ allegations sufficiently suggest that [defendant] used third- party vendors and thus disseminated Plaintiffs’ biometric data to them, which is all that they must do to proceed to discovery on this claim.” As such, its decision was that “Plaintiffs plausibly allege a Section 15(d) violation,” and that “Amazon’s invitation to require greater specificity from Plaintiffs at the pleading stage” is rejected.
This decision, which is now known as ‘the Wilcosky decision,’ brings a significant change to the way a company must provide notice to individuals in such a way as to be in compliance with BIPA. End users must be provided with a clear language that informs them what is being collected, for how long, and for what purposes, so that they can provide a consent that is informed. Furthermore, BIPA includes as ‘biometric identifier’ “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry'' and excludes a whole range of other types of identifiers. Companies should consider it a best practice to get themselves acquainted with the BIPA’s definition of biometric data and its classification of biometric identifiers.