Vimeo is in some hot water thanks to a class-action lawsuit that says the video streamer ran afoul of an Illinois law regulating the collection and storage of biometric information.
The tech in question involves Vimeo’s Magisto app. Billed as an automated video editing service, Magisto was acquired by Vimeo back in April. According to the filing, Vimeo “created, collected and stored, in conjunction with its cloud-based Magisto service, thousands of ‘face templates’ (or ‘face prints’).” The templates were described in the suit as highly detailed geometric maps of users’ faces that were created via facial recognition technology from photos and videos uploaded to the Magisto app.
Plenty of social media and photography apps use some form of facial recognition. However, where Vimeo may have gone wrong is that it allegedly did not provide notice, obtain user consent, or publish a data storage policy. That’s a potential violation of the Illinois Biometrics Information Privacy Act. BIPA requires companies who collect biometric data to maintain a publicly available, written policy detailing how it retains and destroys biometric data. It also states that private companies must also obtain explicit, written user consent before collecting such data. Penalties for violating BIPA are $1,000 per violation or $5,000 per violation if a company was deemed to have intentionally violated the law.
The suit alleges that “each face template that Vimeo extracts is unique to a particular individual,” in the same way that voice or fingerprints are. Under BIPA, that would qualify the face templates as a form of biometric data. Additionally, the court documents note that Vimeo also collects the data of non-users, as users may upload photos and videos of family and friends.
The main plaintiff in the suit, Bradley Acaley, claims that he downloaded the Magisto app in 2017, along with a yearlong $120 subscription. After that subscription expired, he decided not to renew. At that point, he could no longer access any of his photos or videos, but his data was used by Vimeo to locate him in other photos. It was also able to recognize other identifiers, such as his gender, age, race, and location. Acaley claims that at no point did Vimeo give him the ability to opt-out of the collection of or the option to delete his data from Vimeo’s services.
Vimeo isn’t the first company to be brought to court over BIPA violations. Google had a case over facial recognition scanning dismissed in late 2018, while Facebook wasn’t quite as lucky. It lost an appeal in August to dismiss a BIPA-related case over facial recognition for tag suggestions. Six Flags also lost a BIPA case earlier this year, after a mother sued the theme park operator for fingerprinting her 14-year-old son without her consent.
Update, 09/27/2019, 3:55pm: Vimeo sent us the following statement about the case.
“This lawsuit is based upon a fundamental misunderstanding of how the Magisto video creation app works. To help customers create better videos faster, Magisto uses machine learning technology to help identify objects within video frames. Determining whether an area represents a human face or a volleyball does not equate to “facial recognition,” and Magisto neither collects nor retains any facial information capable of recognizing an individual. We look forward to having an opportunity to clear this up in court.”