Press Release

Bradley attorney Erin Illman was quoted in Cybersecurity Law Report on the decision in Zellmer v. Meta Platforms, Inc., its implications and practical BIPA compliance lessons.

Zellmer addresses “the distinction between capturing a ‘face signature,’ or a numerical representation of an image, and capturing information that can be used to identify a particular person,” said Illman. “While this may seem like the panel is ‘splitting hairs,’ it is akin to other distinctions in privacy laws generally that exempt anonymized or de-identified data from the definitions of personal information,” she explained.

A face signature does not reveal information about a face’s geometric information or facial features, the Ninth Circuit determined. The appeals court distinguished “abstract, numerical representations derived from a photograph that are not capable of identifying that individual (under current technology and use) from other types of facial recognition technology that use unique facial measurements and data points to identify the individual,” Illman said.

The Ninth Circuit in Zellmer “delved into what it means to ‘identify’ an individual under BIPA,” Illman noted. In other words, the court considered “how much information is necessary to ‘identify’ versus ‘categorize’ an individual,” she explained. While Zellmer argued that a face signature “can predict an individual’s gender and age,” the Ninth Circuit “determined that this information alone does not identify an individual. The court reasoned, in part, that “‘a face signature [that] can predict a person’s gender limits the pool of potential matches to 50% of the population’ and ‘fails to identify anyone,’” she explained. The court further noted, she added, that “a person’s age – standing alone or together with his or her gender” – also cannot identify a person.

The decision “seems to suggest that there is a unique distinction between identifying an individual versus identifying pieces of personal information of that individual,” Illman observed. Specifically, using non-identifiable data, such as the abstract numbers used in a face signature, to identify other pieces of personal information, such as gender and age of an individual, “is not the same as identifying the individual directly,” she said.

The decision “provides clarity on the types of data that are regulated under BIPA,” Illman concluded. “As technology progresses, the line between what is biometric data and what information can be sourced from historical data associated with an individual has blurred,” she said. The Zellmer case offers “a look into how the courts are willing to create bright line rules around what falls into the definition of biometric data,” she offered.

In addition to complying with BIPA’s notice and consent requirements, “companies would be well served to review their data retention, deletion, and purpose limitation practices on all data, especially sensitive data like biometric,” Illman advised. “While not the reasoning behind the decision, the Ninth Circuit did note that ‘even if the reverse engineering of a face signature were technically possible, face signatures exist for only a tiny fraction of a second’ and are neither saved nor stored after their initial use,” she noted. This is significant, she said, “as it reinforces the concept of data minimization and purpose limitations that are becoming increasingly common in state privacy laws and are the focus of many regulators.”

The full article, “Aftermath of the Ninth Circuit BIPA Liability Shake-Up in Zellmer v. Meta,” was published by Cybersecurity Law Report on October 23, 2024.