This month, Snap negotiated a $35 million settlement in principle to resolve a class-action complaint in Illinois alleging violations of the state's Biometric Information Privacy Act (BIPA) through the collecting of "facial biometric identifiers" without users' consent.
According to the class-action complaint, Snapchat's "Lenses" function, which allows users to apply additional effects to images by "scanning the geometry of a person's face," violates the BIPA.
The 2008 BIPA defines a biometric identification as "a scan of the retina or iris, a fingerprint, a voiceprint, or a scan of the hand or facial geometry."
The legislation bans private entities from collecting, capturing, purchasing, receiving through trade, or otherwise acquiring the biometric information of an Illinois person unless:
Notifies the individual in writing that identifiers and/or data will be collected and/or stored;
Informs the individual in writing of the particular purpose and duration for which the information or identifiers are being collected, held, or used;
Receives signed permission from the individual to gather the data; and
Publishes publicly accessible documented retention schedules and directions for irreversibly eliminating the aforementioned data.
The statute stipulates fines of up to $5,000 per person for intentional infractions and $1,000 per person for carelessness.
Snap has struck a settlement without admitting fault or liability.
As part of the agreement, Snap must notify Illinois users inside the application about how their faces, hands, and/or voices may be used to enable Lenses and voice commands to function.
“Should BIPA be amended in any fashion, Snap will ensure compliance with any applicable amendments,” the settlement stated.
Snap response: A Snap spokesperson said the company implemented the in-app consent notice earlier this year before the settlement was announced, noting the company “continues to vehemently deny that Lenses violate BIPA, which was designed to require notice and consent before collecting biometric information used to identify people.”
“We deeply value the privacy of our community, and Snapchat Lenses do not collect biometric data that can be used to identify a specific person or engage in facial identification,” the spokesperson said. “For example, Lenses can be used to identify an eye or a nose as being part of a face but cannot identify an eye or a nose as belonging to any specific person. Moreover, even the limited data that is used to power Lenses is never sent to Snap’s servers—the data never leaves the user’s mobile device.
Relatedly, in 2021, Facebook agreed to pay $650 million to settle a similar class-action lawsuit alleging violations of the BIPA based on the 2010 implementation of photo tagging suggestions. The settlement sum was $100 million more than what was first requested by the corporation.
By fLEXI tEAM