By Amenze Airhiavbere and Aviva Surugeon

Judge rules collection of biometric information from photographs is subject to BIPA.

On April 25, U.S. District Judge Marvin E. Aspen blocked Onfido Inc. from dismissing a pending lawsuit under the Illinois Biometric Information Privacy Act (“BIPA”).  The class action, is led by Plaintiff Freddy Sosa, who originally filed suit in Cook County Circuit court in June 2020 before the case was removed to federal court.  Plaintiff Sosa had an account with Offerup, Inc., a marketplace where people buy and sell goods online.  The Complaint alleges that Offerup partnered with Onfido to establish and verify users’ identities.  The lawsuit challenges biometric information taken using Onfido’s software, a system that scans uploaded photographs to extract biometric identifiers and compares them with identification cards (e.g., driver’s licenses) to confirm a person’s identity.


Under BIPA, “biometric information” is any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual (e.g., a fingerprint). Information extracted from photographs does not explicitly fall under this definition.  However, the plaintiff argued that the law is meant to protect biometric identifiers, and by extracting identifying information from photos, Onfido performs a type of scan that should require informed consent from all individuals.  In its defense, Onfido argued that the information collected from photos cannot be defined as a scan of facial geometry because the scan is not done in person.  Judge Aspen sided with the plaintiff’s argument, agreeing that Onfido’s software does indeed take a scan of facial geometry, and there is nothing in the BIPA law stating that a scan must be done in person.

Key Implications

Judge Aspen’s decision means that companies must receive informed consent from all individuals before collecting information from photographs.  They are also prohibited from selling this information or using it for profit.  Companies that use software or work with vendors that use software like Onfido’s should be on notice that consent and disclosure are required before collecting information from photographs.  Failure to do so could lead to potential BIPA violations. 

Looking Ahead

Companies should take proactive steps regarding BIPA compliance.  Taking inventory of how their software is used to collect and store biometric information is a critical first step.

The BIPA lawsuit against Onfido is ongoing, and Redgrave LLP will continue to monitor relevant developments.  We are also available to assist in creating compliant privacy programs that proactively account for the nuances of BIPA.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.

Download PDF