Kohl’s, Walmart, The Home Depot and Best Buy have all been slapped with class action lawsuits this month over allegations that they violated Illinois biometric data privacy laws by using Clearview AI’s controversial facial recognition technology to fight back against shoplifting.
The suit comes just days after federal judge Sharon Johnson Coleman rejected plaintiffs’ attempt to bring those retailers into a larger biometrics-related multi-district litigation (MDL) against Clearview.
Macy’s is a defendant in the original complaint against Clairview AI, also filed in Illinois.
Clearview AI, which offers facial recognition capabilities to aid law enforcement and national organizations in identifying criminals and crime victims alike, is the main defendant in a larger suit for allegedly violating privacy laws in Illinois, as well as California, New York and Virginia.
The plaintiffs allege that without written consent, Clearview covertly scraped as many as 3 billion facial images from the Internet and scanned their facial geometry to harvest their unique face print and corresponding biometric data. With this data, Clearview created a searchable biometric database its clients could use to identify unknown individuals simply by uploading a photograph.
The individual retailer lawsuits claim the defendants violated rights codified by the Illinois Biometric Information Privacy Act (BIPA).
Under BIPA, private companies collecting and purchasing biometric information specifically must: inform a person in writing that biometric identifiers and information will be collected and/or stored; inform them in writing of the purpose and length for which the identifiers and information will be collected, stored or used; receive a written release from the person for the data collection; and publish publicly available written retention schedules and guidelines for permanently destroying the data.
The allegations levied against the retailers include capturing the biometric information without written consent, failing to properly disclose the data captured, and failing to disclose whether the information was shared with or sold to third parties, among others.
As in other BIPA-related actions, the plaintiffs are asking the court to award them millions of dollars in damages. Each BIPA violation could cost the defendants $1,000 to $5,000 per offense.
In July, plaintiffs in the Clearview AI/Macy’s case proposed adding Kohl’s, Walmart, The Home Depot and Best Buy to the suit, but the court noted that the deadline for joining new parties was Oct. 1, 2021. Clearview argued that adding the retailers would severely prejudice it considering the Sept. 26 fact discovery deadline, which the court confirmed “is a hard deadline.”
Judge Coleman also noted that the move would shift the focus away from Macy’s, with which the other retailers had no clear corporate connection, she said. She also said the plaintiffs didn’t show how their BIPA claims, which have a one-year limitation, connect the new retailers and the original allegations.
“Equally important, plaintiffs do not explain why Macy’s Inc. and its affiliates are inadequate named representatives nor do plaintiffs cogently explain why these additional defendants are necessary to their claims at this juncture, especially because they were aware that these retailers were Clearview’s clients before they filed the operative complaint in May 2021,” Coleman wrote.
Macy’s isn’t out of the woods yet
Macy’s itself is getting plenty of heat in the lawsuit for its use of Clearview’s database. After being added as another defendant in April 2021, Macy’s has unsuccessfully lobbied twice to have the allegations against it dismissed after the court determined the plaintiffs had standing to bring their grievances.
The plaintiffs allege that Macy’s obtained access to Clearview AI’s biometric database and the biometrics contained therein to identify people whose images appeared in surveillance camera footage from its retail stores.
“Macy’s utilized the biometric database over 6,000 times, each time uploading a probe image to the database to have the database search the biometrics contained therein, including the Biometrics of millions of Illinois residents, for a biometric match,” the suit said. “On information and belief, based on the magnitude of the number of searches, Macy’s uploaded one or more probe images from surveillance cameras located in Illinois.”
The suit also accuses Macy’s and other defendants of profiting from both the database and the biometrics themselves, by using the latter to prevent losses and/or improve the customer’s experience.
With a facial network of facial images sourced from the public internet, including news media, mugshot websites, public social media and other open sources, Clearview AI has a deep knowledge base that caught the attention of government organizations in both the U.K. and Australia.
The U.K. Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) concluded a joint investigation in November 2021, with the latter determining that Clearview did in fact interfere with the privacy of Australian individuals by failing to gain their consent or to notify them of the collection of personal information. The ICO also told the firm it could no longer process the personal data of U.K. individuals.
In May 2022, the ICO fined the tech firm over 7.5 million pounds ($9.1 million) for failing to comply with U.K. data protection laws.
Clearview AI’s bid to have its lawsuit dismissed for lack of personal jurisdiction was rejected in July.
The lawsuits against the individual retailers were filed on behalf of named plaintiffs Adrian Coss and Maribel Ocampo, who claim the retailers allegedly improperly captured and shared footage of them and their minor children with the Clearview technology.
The larger suit against Clairview AI, Rocky Mountain Data Analytics and Macy’s includes nine plaintiffs: David Mutnick, Steven Vance, Mario Calderon, Jennifer Rocio, Anthony Hall, Isela Carmean, Shelby Zelonis Roberson, Andrea Vestrand and Aaron Hurvitz.
Battle over source code rages on
In August, the Clearview AI suit took another turn when the plaintiffs moved for an order to find that the company’s source code does not constitute “highly confidential information.” Counsel argued on behalf of the plaintiffs that the designation has interfered with the lawyers’ ability to review and use the source code.
Plaintiffs allege that the tech provider neither requires its employees nor contractors to sign non-disclosure or non-compete agreements to ensure protection of the source code nor does it require engineers who work directly with it to enter into such agreements.
The filing also claims that Clearview has not supported its position with evidence showing that it restricts employee access with passwords or encryption.
On Aug. 16, the defendants fired back in opposition of the plaintiffs’ motion, requesting to have three documents filed under seal. The defendants argued that all three documents—two of which are Clearview contracts, and another is Clearview’s Stock Purchase Agreement—contain sensitive commercial information about Clearview, including the identity of investors in Clearview and the company’s commercial contracts.
Clearview AI and Rocky Mountain Data Analytics then sent a separate memorandum related to the source code, saying that the plaintiffs do not cite any legal authority to propose that the code is not highly confidential or does not deserve special treatment.
“Given the highly confidential nature of the source code, which represents the entire current and historical source code repository for the Clearview App, there is an extreme risk of existential damage posed to Clearview if the source code is improperly stored and disclosed. The court should deny plaintiffs’ motion,” the defendants argued.