“Say Cheese!” CVS Passport Photo Practices Subject to BIPA Suit

In May 2022, a group of plaintiffs brought a putative class action against CVS Pharmacy, Inc. (CVS) alleging the company violated several provisions of the Illinois Biometric Information Privacy Act (BIPA) through its practices for taking passport photos. On May 4, 2023, in Daichendt and Odell v. CVS Pharmacy, Inc., the United States District Court for the Northern District of Illinois denied CVS’s motion to dismiss, holding the plaintiffs sufficiently stated a claim under Section 15(b) of BIPA.

Section 15(b) of BIPA prohibits private entities from collecting “or otherwise obtain[ing] a person’s or a customer’s biometric identifier or biometric information, unless it first”: (1) provides notice of collection; (2) provides notice of the specific purpose of collection; and (3) obtains affirmative written consent. Here, the plaintiffs alleged that CVS required them to “enter[] their names, email addresses, and phone numbers into a computer terminal inside defendant’s stores prior to scanning their biometric identifiers.” Thereafter, CVS’s system would “check” and “verify” an individual’s facial features (i.e., whether the individual is smiling) to comply with government requirements. Against this backdrop, the plaintiffs argued this system violated Section 15(b) because it “collected and stored their personal contact data (‘real-world identifying information’), such as their names and email addresses,” thus allowing CVS the ability to identify the plaintiffs “when associated with scans of their face geometry.”

CVS’s motion was grounded on what it contends is the “fundamental difference” between “biometric identifiers” and the identification of “biometric features.” BIPA defines “biometric identifiers” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” CVS maintained its photo system does not collect this type of information; rather it collects “data on an ‘abstract binary feature,’ like ‘eyes open’ or ‘eyes closed,’” to verify an individual’s features for passport photographs. In short, CVS argued the data collected is “‘not associated with an individual’s identity.’”

The court rejected CVS’s arguments. In the court’s view, “[t]he problem is not the certificate (i.e., the photo system’s output) or the purpose of the photo system (i.e., to ensure passport-ready photographs). The problem … is that in order to determine whether an individual’s eyes are open or closed, or whether the individual’s mouth is closed or smiling, the photo system would necessarily have to scan the individual’s face.” Under Section 15(b), a plaintiff need only allege “that an entity collects or stores biometric data that is capable of identifying an individual.” As the plaintiffs alleged that CVS scanned their “face geometry” at the same time it collected personal information, they sufficiently stated a claim under Section 15(b). Therefore, the court denied CVS’s motion to dismiss.

This order is one of many recent decisions interpreting the scope of BIPA. In May 2023, for instance, the Supreme Court of Illinois, in Cothron v. White Castle Sys., Inc., held that claims arising under Section 15(b) of BIPA accrue each time a company either collects or discloses an individual’s biometric information without prior informed consent. Indeed, that decision has allowed for potential damages in excess of $17 billion. Likewise, in March 2023, a federal district court in Delaware allowed a similar claim to proceed against Amazon for its failure to obtain informed consent when extracting “voiceprints” for authentication purposes. It is clear that both state and federal courts are interpreting BIPA’s language expansively. Therefore, practitioners should keep in mind these ongoing developments concerning the scope of this comprehensive consumer privacy statute.