A few weeks ago, we witnessed a small yet hopeful win for privacy advocates and plaintiffs' attorneys. On November 6, 2024, US District Judge LaShonda Hunt denied Amazon's motion to dismiss plaintiffs' complaints for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA).
Though Amazon has earned public favor with its low prices and almost unprecedented shipping speed, the e-commerce giant is no stranger to controversy. Amazon has faced dozens of lawsuits over the years as well as congressional heat for its use of biometric data.
The latest class actions, Van Housen, et al. v. Amazon.com, Inc., et al. and Coulter, et al. v. Hudson Group (HG) Retail, LLC, target Amazon’s Just Walk Out (JWO) stores, which facilitate touch-free shopping by collecting shoppers’ biometric data. The suits, originally filed in November 2023 in Cook County Circuit Court, allege that Amazon violated consumer rights by collecting this biometric information without shopper consent.
The cases involve one action against Amazon and another against both Amazon and the Hudson Group, which operates Amazon Go stores at Chicago’s Midway Airport.
How Amazon’s JWO technology works
According to Amazon, “Just Walk Out technology simplifies the shopping experience by removing checkout and helping consumers to get in and out quickly and seamlessly.”
Here’s how it works: When shoppers enter an Amazon Go, they scan their credit cards and proceed to collect the items they wish to purchase. A series of cameras use a combination of computer vision, sensor fusiun, machine learning, and generative AI to track each shopper’s movements, identifying faces, hand gestures, and even voice prints to determine who is purchasing what from store shelves.
The data is then processed by an algorithm, which automatically charges shoppers’ credit cards when they walk out, avoiding any checkout process.
Judge Hunt upholds privacy protections
While Amazon’s JWO stores surely offer a quicker and perhaps more convenient shopping experience, the possibility that Amazon is collecting shoppers' private data is cause for concern. And despite the fact that an Amazon representative reported to Law360 on Wednesday that "the allegations that Just Walk Out technology collects biometric information are baseless," Judge Hunt rejected Amazon's argument and ruled against the company.
Plaintiffs not only claim that Amazon failed to get written consent to collect, store, or share their biometric data, but also assert that Amazon uses shoppers’ biometric data for two purposes beyond simply tracking purchases: to improve its JWO software and sell customer biometric data to other retailers, which violates Section 15(c) of BIPA.
This clause states that it’s illegal for any “privacy entity in possession of…biometric information to sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier of biometric information.”
However, in her ruling, Judge Hunt allowed only some parts of the unlawful profiting claims against Amazon to proceed. In one case, she found the argument strong enough to permit these customers’ claims to move forward in court.
But in the suit involving Hudson, which argued that Amazon’s profits are unlawful because it saves money by using data-collecting technology instead of hiring more employees, Hunt ruled that this reasoning did not meet the legal standards required for such claims.
US biometric privacy laws: where we stand
Unfortunately, the law hasn’t quite caught up with technology. And with data privacy concerns continuing to grow as tech launches forward at warp speed, state and federal government bodies are going to need to create appropriate legislation to protect consumer privacy. Unlike the European Union, whose online data privacy laws are governed by the General Data Protection Regulation, the US lacks a unified approach to protecting user data.
In 2008, Illinois enacted BIPA, becoming the first state to implement a law protecting citizens against biometric data collection. The law is seen as being the most stringent US regulation of its kind and a blueprint for other states around the country. This regulation requires companies or government bodies that collect and store this data to comply with specific requirements, and provides a private right of action for consumers to collect statutory damages when they do not.
There are now 12 states with similar laws in the works. However, as of now, there are only two other states and two cities with active biometric privacy laws: Texas, New York, Washington DC, and New York.
At a federal level, we have yet to see legislation to address biometric privacy nationwide. Massachusetts Senator Ed Markey introduced the Facial Recognition and Biometric Technology Moratorium Act in 2023, a law aimed to limit how federal, state, and local governments can use biometric surveillance tools like facial recognition systems. Under the bill, federal agencies and officials are prohibited from acquiring, using, or storing biometric surveillance systems or related data.
Amy Klobucher (D-MN) has also been an outspoken voice against companies collecting and storing biometric data. As the Chairwoman of the Senate Judiciary Subcommittee on Competition Policy, Antitrust, and Consumer Rights, Klobucher and fellow committee members Senators Bill Cassidy (R-LA) and Jon Ossoff (D-GA) sent a letter regarding this issue to Amazon in 2021.
The letter expressed concern about the company’s use of data gathered by Amazon One, the company’s palm-print recognition and payment system, another biometric technology system, used in stores such as Whole Foods.
“In contrast with biometric systems like Apple’s Face ID and Touch ID or Samsung Pass, which store biometric information on a user’s device, Amazon One reportedly uploads biometric information to the cloud, raising unique security risks,” they wrote in the letter.
However, Amazon maintains that it takes all necessary precautions to protect consumer data. According to the Amazon One website, the company ensures consumer data is stored:
“...in accordance with Amazon's high security standards, leveraging the AWS Cloud, along with multilayered security controls built into the Amazon One hardware, software and cloud infrastructure to ensure that customer data stays encrypted and secure…Multiple security controls protect your data at all times, including, but not limited to, encryption, data isolation, and dedicated secure zones with restricted access controls.”
Setting the stage for future biometric privacy protections
We’ve seen a surge of biometric privacy lawsuits against companies accused of mishandling personal data over the past few years. Another notable example is the Facebook BIPA case, which settled for $650 million in 2021, following allegations that it collected and stored users’ facial recognition data without proper consent.
Similarly, TikTok agreed to a $92 million settlement in 2022 over allegations that it violated BIPA, the Video Privacy Protection Act, and other consumer and privacy protection laws for collecting and sharing users' biometric data without obtaining proper consent.
Judge Hunt’s favorable ruling against Amazon demonstrates that even tech giants can’t sidestep BIPA’s requirements. This decision could embolden more consumers and plaintiffs' attorneys to pursue BIPA claims, reinforcing the financial and reputational risks companies face when failing to comply with biometric privacy laws.
For plaintiffs’ attorneys, it’s yet another reminder of BIPA’s significance in the class action world, with the potential for substantial settlements that not only offer clients redress but also incentivize stronger compliance within the private sector.
Find and win your next data data privacy case. Work with us.
_______________________
This might interest you:
Partner with Darrow to grow your practice
