A class action lawsuit was filed by the plaintiffs against Google, alleging that the company broke Illinois’ Biometric Information Privacy Act. The act states that any private company collecting biometrics—defined as a retina or iris scan, fingerprint, voice, or hand or face scan—must have a publicly available written policy that establishes how long the data will be kept and how it will be destroyed at the end of its life. Google Photos has a tool to group photos of similar faces together, and the app collects data on facial geometry in order to determine similarities and differences between people. The problem is that Google wasn’t informing users that it was collecting their biometric data. The plaintiffs allege in their filing that:
“Google is actively collecting, storing, and using—without providing notice, obtaining informed written consent or publishing data retention policies—the biometrics of millions of unwitting individuals whose faces appear in photographs uploaded to Google Photos in Illinois. Specifically, Google has created, collected and stored, in conjunction with its cloud-based ‘Google Photos’ service, millions of ‘face templates’ (or ‘face models’)—highly detailed geometric maps of the face—from millions of Google Photos users.”
The lawsuit resulted in a $100 million settlement, and Illinois residents can file a claim for their cut of that money only if they appeared in a picture on the Google Photos app between May 1, 2015 and April 25, 2022. Users that meet these requirements can mail in a claim using the form on the settlement’s website before September 24, 2022 for their cut of the $100 million. While the exact payout per person isn’t clear yet, it will likely range between $200 and $400 per person, but the final payout will also depend on the number of claims filed.
This is not the first time Illinois was a crucible of the data privacy revolution. In 2015, a similar lawsuit was filed against Facebook, where plaintiffs argued that the social media giant was collecting biometric data from users without informing them. Compromised users were able to file a claim for a payout in 2020.