LitLand is a monthly feature that reviews developments in litigation as they relate to privacy matters and highlights any past, current, and future cases about which you should know.

A group of plaintiffs has accused Vimeo of “collecting, storing, and using [plaintiffs’] biometric identifiers and biometric information [sic] without informed written consent, in direct violation of” the Illinois Biometric Information Privacy Act (BIPA). The class action lawsuit alleges that Vimeo used the photos and videos uploaded by consumers into Vimeo’s video editing app, Magisto, to create “thousands of ‘face templates.’”

The templates are “highly detailed geometric maps of the face,” and are generated from “sophisticated facial recognition technology that extracts and analyzes data from the points and contours of faces” and are “unique” to each person, no different from “a fingerprint or voiceprint [that] uniquely identifies one and only one person.”

Plaintiff Alleges Vimeo’s Magisto Used Biometric Tracking

The lead Plaintiff, Bradley Acaley, alleges that he purchased a Magisto subscription in 2017 and uploaded and edited videos and photos of himself and his friends and family. He claims that Vimeo used the materials that he uploaded to “to organize and group together videos based upon the particular individuals appearing in the videos.”

However, and unbeknownst to plaintiff, the app was able to organize the videos by scanning “each and every video and photo uploaded to Magisto for faces, extract[ing] geometric data relating to the unique points and contours . . . of each face, and then us[ing] that data to create and store a template of each face.” These templates were compared against others in the Magisto database and allowed Vimeo to discern such characteristics as an individual’s “gender, age, race and location.”

Lawsuit Claims BIPA Violations; Lack of Policy for Retention

Besides allegedly failing to inform consumers about these practices and obtaining written consent, as required under BIPA, the lawsuit further alleges that “Vimeo does not have written, publicly available policies identifying their retention schedules or guidelines for permanently destroying any of these biometric identifiers or information.”

BIPA prohibits a private entity from, among other things, collecting, using, or retaining a consumer’s biometric identifier or biometric information without:

  1. Informing the consumer in writing that it is doing so;
  2. Informing the consumer in writing of the purpose and retention period for the collection, retention, and use of the information; and
  3. Receiving a written release from the consumer. 

Additionally, the company must have a publicly available retention schedule and guidelines for the destruction of the biometric identifiers and information.

Disclosure Remain Unclear

While it is unclear what disclosures Magisto made in 2017 when Plaintiff was a subscriber, the current Vimeo Privacy Policy addresses data collection, use, retention, and deletion. Additionally, it wouldn’t be atypical if Vimeo made additional disclosures after an individual purchased a Magisto subscription.

The court will have an opportunity to weigh in on the sufficiency of any such notices, particularly because they seem common in this sector. Plaintiff states in his complaint that he never consented to the collection of his information, signed a written release for the collection of his biometric information, nor was he ever presented “with an opportunity to prohibit or prevent the collection, storage, or use of his unique biometric identifiers or biometric information.”

Vimeo has yet to respond to the complaint, although the case, originally filed in state court, has now been removed to the Northern District of Illinois. Vimeo’s response is currently due in early December.