Milberg Lawsuit Accuses Bose of Breaking Illinois Biometric Privacy Law
by Brian Eckert
Bose Corporation disregarded the biometric privacy rights of Illinois residents when it collected and stored their facial geometry as part of a “virtual try-on” program, plaintiffs allege in a Milberg class action lawsuit.
Illinois residents who had their facial biometrics collected and stored by Bose may be eligible to participate in the class action and recover damages of up to $5,000, as allowable under the Biometric Information Privacy Act (BIPA).
About Bose’s “Virtual Try-On” Program
Bose sells various types of Bluetooth audio sunglasses through its website. To help consumers choose a sunglasses model that best fits their face shape, Bose offers a “virtual try-on” that scans a potential customer’s face using their device’s camera, identifies their facial geometry, and allows them to preview how they will look in different combinations of frames and lenses. Bose refers to this as a type of augmented reality (AR).
About The Illinois Biometric Privacy Act
Illinois has taken a strong stance on protecting biometric information. BIPA is the country’s strongest biometric privacy law, and it reflects the unique sensitivity of data that includes a retina or iris scan, fingerprint, or a scan of hand or facial geometry.
There is no realistic way, absent surgery, to reassign someone’s biometric data. A person can obtain a new social security number, but not a new face, which makes the protection of, and control over, biometric identifiers and biometric information critical.
With data breaches on the rise, consumers are acutely aware of the vulnerability of their personal data in the hands of corporations. However, while the victim of identity theft can, for example, obtain a new Social Security number, they cannot obtain new biometric data. Thus, once an individual’s biometrics are exposed, they effectively have no recourse.
In light of the growing use of biometrics, Illinois passed BIPA, which requires companies that collect biometric data to meet several conditions prior to collection, including:
- Informing the data subject, in writing, that their biometrics are being collected and stored
- Informing the data subject of how their information will be used
- Describing measures that will be employed to protect the data subject’s biometrics
- Informing the data subject how long their biometrics will be stored and when the information will be permanently destroyed
- Obtaining a written release from the data subject authorizing the collection of their biometrics
BIPA provides a private right of action that allows Illinois consumers to recover statutory damages of $1,000 (negligent violation) or $5,000 (intentional or reckless violation) for each violation of their BIPA rights, as well as attorneys’ fees and costs and other relief, such as an injunction.
Plaintiffs: Bose Unlawfully Collected Biometric Data
The Bose virtual try-on program scans, collects, stores, and uses potential customers’ facial biometrics. Bose does so without providing Illinois consumers with an express, written release authorizing them to do so, which violates the Illinois Biometric Privacy Act. As Milberg’s lawsuit notes, “Burying a vague reference to biometric information in an online privacy policy is not sufficient to comply with BIPA’s requirements.”
In addition, plaintiffs say, Bose failed to provide Illinois consumers with a publicly available BIPA policy or the disclosures required by BIPA.
“Each time Plaintiffs used the ‘Virtual Try-On’ platform, Defendant unlawfully collected their biometrics,” states Milberg’s complaint.
“Defendant has not…properly informed consumers in writing that a biometric identifier or biometric information is being captured, obtained, collected or stored; informed consumers in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; or obtained consumers’ proper written consent to the capture, collection, obtainment or storage of their biometric identifier and biometric information derived from it.”
Who Can Participate in the Bose Biometric Class Action?
On behalf of others similarly situated, the plaintiffs seek to establish the following class:
All persons who had their biometric identifiers, facial geometry, faceprints, or facial data captured, collected, or received by Bose while residing in Illinois from five years preceding the date of filing of this action through the date a class is certified in this action.
Plaintiffs are represented by Milberg’s Gary Klinger—one of the most well-known and respected data privacy attorneys in the United States whose practice includes BIPA, data breaches, and cybersecurity. Mr. Klinger is also representing Illinois consumers in a recently-filed BIPA class action lawsuit against CVS.
Milberg has been at the forefront of protecting consumer rights since 1965, serving as a necessary check on the expanding power of corporations and technology. Follow the firm on Facebook and Twitter and contact us to discuss a potential violation of your privacy rights.