David J. Oberly |
2021 has brought with it a sizeable expansion in the types of technology and companies that are now being targeted with bet-the-company Illinois Biometric Information Privacy Act (“BIPA”) class action lawsuits. The first major expansion involved the targeting of virtual try-on technology, a feature made even more popular during the COVID-19 pandemic, which, according to plaintiffs, utilizes facial recognition technology. More recently, a high volume of BIPA class action suits have been filed targeting the use of voice-powered technologies.
BIPA & Voice Data
BIPA regulates the collection, use, and storage of “biometric identifiers,” which includes—among other things—“voiceprints.” However, the term “voiceprint” is not defined in Illinois’ biometric privacy statute. “Voiceprint” is generally defined as a distinctive pattern of curved lines and whorls made by a machine that measures human vocal sounds for the purpose of identifying an individual speaker. It is this hallmark of identifying (or verifying the identity of) an individual that makes voice data a “voiceprint” under BIPA. In this respect, courts have noted that voice biometrics, also known as voiceprinting, is the use of biological characteristics—one’s voice—to verify an individual’s identity.
Thus, a critical distinction exists between general voice data, which is not covered by BIPA, and voiceprint, which fall under the scope of Illinois’ biometric privacy statute—with the important dividing line being the identifying quality of the biometric information. In a 2017 case, an Illinois federal court recognized this distinction, noting the difference between the mere capture of voice data and an actual “voiceprint.” In doing so, the court noted that if an entity simply captures a person’s voice without generating a voiceprint for the specific purpose of identifying ,or verifying the identity of, an individual, then there is no violation of BIPA.
Today’s New Wave of Voice Data BIPA Class Action Lawsuits
As discussed above, BIPA applies only to the use of true voice biometrics—which involves the creation and use of voiceprints for the purpose of identifying, or verifying the identity of, individuals. In many instances, however, companies that are targeted with BIPA class action lawsuits over their connection to voice data merely offer or utilize technology that—at most—recognizes an individual’s voice so that it can respond to that voice’s commands. In such instances, the technology does not function to identify an individual or verify an individual’s identity. In such instances, the technology at issue falls outside the scope of BIPA and, in turn, an actionable claim under Illinois’ biometric privacy statute cannot be established against the target defendant.
Practical Compliance Tips & Defense Strategies
Despite the fact that when it comes to voice biometrics BIPA only regulates the collection and use of voiceprints, many companies that merely use voice data for purposes other than identifying individuals or verifying individuals’ identities are still being targeted with BIPA class action complaints. As such, companies that use voice data for purposes other than identifying, and verifying the identity of, individuals should consider the following:
- Privacy Policy Disclosures: First, companies should clearly explain in their public-facing privacy policies that their use of voice data does not involve the utilization of voiceprints and that this activity falls outside of the scope of Illinois’ biometric privacy statute. This is an important step to minimizing risk because oftentimes suit is filed simply because insufficient information is available for plaintiff’s attorneys to make a determination as to whether an activity triggers compliance with BIPA.
- Compliance with BIPA Where Feasible: Second, companies can also consider satisfying BIPA’s requirements where it is feasible and not burdensome for the business to do so.
- Arbitration Agreement & Class Action Waiver: Third, companies should ensure that a robust arbitration agreement and class action waiver is contained in the company’s online terms and conditions. This is a critical step to take because often, the mere fact that an arbitration agreement exists is sufficient to dissuade a plaintiff’s attorneys from filing suit for alleged violations of BIPA.
- Informally Seek a Voluntary Dismissal of BIPA Class Action: Lastly, if a company finds itself as a defendant in a BIPA suit, it should immediately evaluate its technology and confirm that it does not fall under the scope of BIPA, i.e., it does not use voice data for authentication or verification purposes. If so, the company’s biometric privacy counsel should first reach out to opposing counsel, explain the situation and the fact that the technology in question does not collect or use biometric data, and request a voluntary dismissal of the matter. Many times, taking an informal approach will achieve the desired result of obtaining a dismissal of the matter in a much more cost-effective manner than moving straight to motion practice.
- Pursue Dismissal of BIPA Class Action through Early Motion Practice: In the event opposing counsel refuses to dismiss the suit, biometric privacy counsel should immediately pursue a dispositive dismissal of the action through early motion practice. Because a supporting affidavit or declaration will be needed to establish that the defendant’s technology does not constitute voice biometrics and does not collect or use voiceprints, in almost all circumstances dismissal will have to be pursued through a motion for judgment on the pleadings, as opposed to a Rule 12(b)(6) Motion to Dismiss.
The Final Word
Entities that utilize voice data but do not create or use voiceprints face swiftly increasing BIPA class action liability exposure, despite the fact that such technology falls outside of the scope of BIPA.
Proactive measures, including BIPA compliance where feasible, can significantly guard against the risk that companies using only voice data—but not voiceprints—are named as defendants in BIPA litigation. For more guidance on BIPA compliance, please view Blank Rome’s BIPA Compliance Checklist.
And in the event a business finds itself in court facing allegations that it ran afoul of Illinois’ biometric privacy statute, the lack of collection or possession of voiceprints can be wielded as a powerful, complete liability defense to enable an expeditious exit from the litigation soon after suit is filed.