An Illinois appellate court has ruled that Apple’s biometric unlock features, including Touch ID fingerprint scanning and Face ID facial geometry scanning, do not violate the state’s Biometric Information Privacy Act (BIPA). The case involved a group of Illinois residents who alleged that Apple’s Face ID feature impermissibly collects facial geometries from pictures stored in the Photo app on Apple devices. The plaintiff class claimed that Apple violated BIPA by collecting, possessing, and profiting from biometric information without the knowledge or consent of users. According to the complaint, Apple did not have an established retention policy for biometric data and failed to obtain written permission to collect the information.

According to the appellate opinion, Apple never collected, stored, or managed the data collected by Touch ID and Face ID because the biometric data are stored locally on the user’s device. The court distinguished this local storage, which Apple contends is strictly controlled by the user, from cloud-based storage that takes the data out of the user’s custody. BIPA doesn’t define “possession,” so this ruling supports a narrow reading of the law based on the data’s physical storage location.

The court did not address whether technology that stores biometric data locally but still actively “phones home” for updates would change the calculus. For now, tech companies have a tested roadmap for BIPA-compliant security features: store the data locally and encrypt it.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Blair Robinson Blair Robinson

Blair Robinson has experience in data privacy and security, cybersecurity, information security governance, information technology (IT), and General Data Protection Regulation (GDPR).  Read her full rc.com bio here.