U.S. District Judge Nancy Rosenstengel raised concerns about how personal information would be protected given the increase in hacks when she rejected a request to compel Apple Inc. to provide information of Illinois residents with Apple devices and accounts in a suit alleging the Photos App collects and stores biometric identifiers through facial recognition technology.
In an order filed June 16, Rosenstengel concluded that the plaintiffs are not entitled to precertification discovery of the identities of all Illinois residents who purchased Apple devices with the Photos App and denied their motion to compel. For the same reasons, she granted Apple’s motion to quash the plaintiffs’ subpoena for purchasing information from major retailers selling Apple devices.
Plaintiffs Roslyn Hazlitt, Jane Doe, Richard Robinson and Yolanda Brown served Apple with requests for production on Jan. 21, seeking documents identifying all Illinois residents who purchased Apple devices containing the Photos App from June 13, 2016, to the present and documents identifying anyone in Illinois who executed End User License Agreements or other agreements in connection with the Photos App.
Apple objected to the requests, arguing that they were vague and ambiguous, overbroad, unduly burdensome, and not proportional to the needs of the case.
The plaintiffs provided Apple with various types of documents that could possess the information they sought, including shipping and billing addresses for those with Apple IDs, cell phone numbers for iPhones with Illinois area codes, billing information of Apple Pay customers, shipping and billing addresses of Illinois-related online purchases, and customer information for purchases at Apple stores in Illinois.
Apple refused, saying the requests were made in order to identify putative class members, which is not an appropriate source of discovery.
The plaintiffs responded by filing a motion to compel through attorney Andrew Schlichter of Schlichter Bogard & Denton in St. Louis. They also issued document subpoenas to major resellers of Apple products, such as Amazon, Target and Best Buy.
Apple filed a response in opposition to the request through attorney Raj Shah of Chicago.
Shah urged Rosenstengel to deny the motion to compel “because invasive precertification discovery of the identifying information of potentially millions of consumers, not class members, is neither relevant nor proportional to the needs of this case.”
Shah argued that the requested information is treated as personal data under the privacy policy and would intrude on their privacy interest if disclosed.
“Plaintiffs, however, do not propose to inform consumers that a disclosure of their information has been requested,” he wrote. “Nor do plaintiffs seek to explain how the information will be used. In other words, if plaintiffs had their way, the consumers would have no choice with respect to their personal information being disclosed.”
Rosenstengel agreed with Apple’s concerns about disclosing potentially millions of consumers’ personal information without any notice or the ability to opt-in.
“Moreover, while plaintiffs do not explicitly state any intention to use the information in any other manner, their request ‘necessarily implicate[s] concerns regarding potential client recruitment,’” she wrote. “Finally, plaintiffs have provided the court with no explanation as to how the data would be stored and kept secure, which is crucial considering the rising number of computer hackings and ransomware attacks hitting U.S. companies.”
Hazlitt, Jane Doe, by and through next friend John Doe, Robinson and Brown filed the putative class action on March 2, 2020, in St. Clair County Circuit Court before Apple removed the case to the U.S. District Court for the Southern District of Illinois on May 6, 2020. They argue that Apple violated BIPA by collecting, possessing and profiting from their biometric identifiers.
According to the complaint, the plaintiffs allege Apple collected, possessed and profited from their facial geometries through facial recognition. They claim the Apple Photos app uses a proprietary software and facial recognition technology to scan facial features from photographs, creating a “faceprint” for every person detected “‘without the knowledge or informed written consent of’ the user or others who may appear in the photographs.”
The plaintiffs acknowledge that the Photos app uses “on-device processing,” but argue that Apple is liable because it provides the app.
The plaintiffs seek class certification, including “all Illinois citizens whose faces appeared in one or more photographs taken or stored on their own Apple Devices running the Photos App from March 4, 2015 until present.”
They seek injunctive relief, actual damages, $5,000 in statutory damages for each intentional and reckless BIPA violation, $1,000 for each negligent BIPA violation, attorney’s fees and court costs.
Apple filed a motion to dismiss the complaint on June 12. The defendant argued that the complaint is “devoid of factual allegations that Apple Inc. engages in any of the conduct against which the Illinois Biometric Information Policy Act protects: a private entity’s unauthorized collection, possession, and disclosure of individuals’ unique and personal ‘biometric identifiers’ or ‘biometric information.’”
Apple argued that the plaintiffs fail to plead that the defendant, the device or the Photos app links facial scans from photos to identifiable individuals. It added that device users have control over whether to tag people in photos.
The defendant further argued that the complaint fails to allege that it actually collects the information at issue. The complaint alleges the information is stored in the memory on the specific Apple device, the motion states.
“The plaintiffs therefore resort to tenuous and never before used theories of vicarious or secondary liability as a basis for their BIPA claims against Apple,” the motion stated. “The Illinois legislature imposed no such liability in enacting BIPA, and courts routinely dismiss claims against device manufactures and software developers that, like here, allege nothing more than the sale of technology which allegedly created biometric identifiers or biometric information during operation by the end-user.”
District judge Nancy Rosenstengel previously remanded the claims that Apple violated BIPA by possessing and profiting from the class members’ biometric identifiers and biometric information. Apple opposed the remand and sought supplemental authority from the Seventh Circuit.
The Seventh Circuit granted Apple immediate relief and reversed Rosenstengel’s order on Jan. 22.