A proposed class action lawsuit alleges that identity verification provider ID.me, Inc. violated an Illinois privacy law by failing to maintain a law-compliant biometric data retention policy, which allowed him to store the collected information for years despite state requirements.
The 12-page lawsuit specifically claims that ID.me, which provides biometric scanning services to various businesses for identity verification purposes, maintained until March 24, 2021 a data retention policy that allowed the company to store individuals’ biometric information for up to seven years. and a half years after closing their account.
As applicable, the Illinois Biometric Information Privacy Act (BIPA) requires a company to maintain a policy that requires an individual’s biometric identifiers and information to be permanently destroyed when the original purpose of collection and of data storage has been satisfied or within three years of their last interaction with the company, whichever comes first.
According to the case, ID.me suggested that its data retention policy did not comply with BIPA when the company added Illinois-specific language on March 24, 2021. Although the updated policy still allows allowing ID.me to retain consumer biometrics for up to seven and a half years, an exception was made for Illinois residents, for whom the company said it would destroy their biometrics “when the purpose initial collection or obtaining of such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with ID.me, whichever comes first,” the lawsuit states.
“All subsequent versions of defendant’s biometrics policy have included this Illinois-specific language,” the complaint alleges. “So not only does the defendant admit that it must comply with BIPA, but it also implicitly admits that its pre-March 24, 2021 biometrics policy did not comply with [the BIPA].”
The complainant is an Illinois resident who said she had to register for an ID.me account when she started working at Ann & Robert H. Lurie Children’s Hospital in Chicago in January 2020. According to the case, the woman uploaded a photo of herself. face on the ID.me platform, and the company’s technology used the image to generate a facial template for the complainant to use for identity verification purposes.
The lawsuit says that at the time the plaintiff provided her biometric information to ID.me, the company had a data retention policy in place which stated that she was permitted to store her data for up to seven and a half years. after his account was closed, which the lawsuit says is a direct violation of BIPA’s data retention policy requirement.
The lawsuit seeks to represent all Illinois residents who, prior to March 24, 2021, used ID.me to scan their face in Illinois.
Get class action news delivered to your inbox – sign up for the ClassAction.org newsletter here.