CPW has previously covered litigation brought against a biometric software developer in Illinois, Sosa v. Onfido, Inc., 2021 U.S. Dist. LEXIS 658 (N.D. Ill.). In the court’s latest landmark ruling, the judge denied a motion to dismiss from defendant, finding that Illinois’ Biometric Information Privacy Act (“BIPA”) extends to information derived from photographs, as this information falls within the statute’s definition of “biometric identifier.”

Readers may remember that plaintiff Sosa had an account with Offerup, Inc., a marketplace where people buy and sell goods online. The Complaint alleges that OfferUp partnered with the defendant, Onfido, to establish users’ identities. They allegedly did so by way of users uploading their driver’s license or ID with photos of their faces, which Onfido would scan and extract biometric identifiers from to confirm whether the photos matched the IDs. Plaintiff brought suit, alleging violations of BIPA on the grounds that  After the court handed down a decision in late 2021 denying arbitration, Onfido filed a motion to dismiss, arguing that (1) the information collected by Onfido (photographs and information derived from photographs) is not protected by BIPA; (2) Sosa had not stated a claim for liquidated damages; and (3) BIPA is unconstitutional and violates the First Amendment.

To resolve the first issue, the Court looked to BIPA’s definitions of “biometric information”[1] and “biometric identifier.”[2] The Court observed that, while information derived from photographs does not fall within BIPA’s definition of “biometric information,” the data being collected still constituted a biometric identifier, based on the pleadings. Plaintiff alleged that Onfido’s software scanned identification cards and photographs to create a “faceprint,” or a unique representation of each individual face. Because the faceprints plausibly constituted a scan of facial geometry, within BIPA’s definition of “biometric identifier,” the data that Onfido was collecting was subject to BIPA and required the statutory informed consent and disclosures. The Court reached this finding even though BIPA expressly excludes photographs from the definition of “biometric identifier” and information derived from photographs from the definition of “biometric information,” as it found that the information derived from photographs could still fall within the definition of “biometric identifier.” While Onfido contended that the scans could not constitute a scan of facial geometry because it was scanning images of faces, rather than the individuals’ actual faces, the Court found this argument unavailing.

With respect to Onfido’s other arguments, the Court found that Plaintiff could continue to pursue liquidated damages because liquidated damages were not a claim—as Onfido had argued—but instead, a remedy or demand for relief, and so Plaintiff was not required to plead facts showing his entitlement to that relief. Onfido had additionally contended that BIPA violates the First Amendment as a content-based restriction that fails to satisfy strict scrutiny. The Court found that, first, section 15(b) of BIPA did not restrict Onfido’s speech, but instead restricted its conduct, as that provision of the statute regulates Onfido’s ability to obtain an individual’s biometric data. Additionally, the Court observed that, even if section 15(b) did restrict Onfido’s speech, it was sufficiently narrowly tailored to further a compelling interest, and so survived strict scrutiny.

This decision is going to have a significant impact on other biometric privacy cases going forward.  Not to worry, CPW will be there to keep you in the loop.


[1] “[A]ny information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” 740 Ill. Comp. Stat. 14/10.

[2] “[A] retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 Ill. Comp. Stat. 14/10.