Amazon biometric data lawsuit another test for privacy law

Illustration showing a human form surrounded by representations of biometric data. Amazon biometric data lawsuit another test for privacy law,

By John Hilton

The legal debate over use of biometric data entered a new forum recently with a lawsuit against Amazon for alleged violations of the New York City privacy statute.

Insurers are watching this case, and others, for coverage implications as jury awards are crossing the billion-dollar threshold.

"Many different types of policies can cover or potentially cover biometric data privacy claims," said Tae Andrews, senior managing associated in the New York City office of Pasich, an insurance recovery law firm.

Biometric data generally refers to fingerprints and facial recognition data.

Established privacy laws are in their infancy in most cases, with many more states, cities and even Congress contemplating new laws. The implications for insurers are twofold.

For starters, major insurance carriers sit on a treasure trove of big data, with endless possibilities to sharpen actuarial risk projections and target financial products more narrowly to millions of consumers.

On the coverage side, businesses are increasingly facing class-action lawsuits over selling biometric data. Millions of dollars are at stake and insurers who provide business coverage under comprehensive general liability policies face major liability.

As a result, many insurers are adding exclusions to commercial policies for biometric data.

No notice of tracking

According to the lawsuit filed last month, Amazon did not alert its New York City customers that they were being monitored by technology that tracks their bodies’ shapes and sizes as well as their palm prints.

Plaintiff Alfredo Rodriguez Perez seeks class-action status with the lawsuit filed in the Southern District of New York. He alleges violations of a 2021 New York City law – the Biometric Identifier Information Law – requiring businesses to post signs if they’re tracking customers’ biometric information, such as facial scans or fingerprints.

New York City is reportedly the only city with such a law on the books. Amazon failed to tell visitors to Amazon Go convenience stores that the technology was in use, the Perez lawsuit claims.

On Feb. 7, 2023, Perez informed Amazon in writing that he had visited its 80 Pine Street store and that the company had an obligation to post a sign about collecting biometric data, the lawsuit said. Amazon did not respond, the lawsuit added.

Instead, Amazon did not post the required signage until after a March story appeared in the New York Times, a sign that "woefully fails" to comply with the law, the lawsuit said.

"The new sign fails to disclose that Amazon converts and retains biometric identifier information," the lawsuit reads. "Even worse, the sign informs customers that Amazon will not collect biometric identifier information on them unless they use the Amazon One palm scanner to enter the Amazon Go store, even though Amazon Go stores do collect biometric identifier information on every single customer."

Introduced in 2018, Amazon Go stores allow customers to take products they want off the shelves and leave without checking out. The company uses biometric data collection to enable them to charge customers' accounts after they leave the store. Amazon opened its first New York Go location in 2019, and has 10 stores, all in Manhattan.

The COVID-19 pandemic made contactless transactions more appealing, Andrews noted, giving a boost to further biometric data technology. For example, apps that scan the face can be used to virtually show a customer what they will look like in a variety of frames.

"This is very much the way of the world," Andrews said. "Companies are using a lot of biometric data and what we've also seen is a rise in statutes enacted by various states and municipalities to protect that biometric data."

Epic White Castle decision

Another recent court decision out of Illinois is rippling throughout the industry. Illinois is ground zero for the fight over biometric data thanks to the state Biometric Information Privacy Act (BIPA), which took effect in 2008 and provides a comprehensive set of rules for those entities choosing to collect biometric data from Illinois residents.

In February, the Illinois Supreme Court ruled that fast food chain White Castle System Inc. must face claims that it repeatedly scanned fingerprints of nearly 9,500 employees without their consent, which the company says could cost it more than $17 billion.

BIPA imposes penalties of $1,000 per violation and $5,000 for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans and other biometric information from workers and consumers.

"We're talking about incredibly high potential damage," Andrews said. "It's a very significant source of potential exposure."

InsuranceNewsNet Senior Editor John Hilton covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.

InsuranceNewsNet Senior Editor John Hilton has covered business and other beats in more than 20 years of daily journalism. John may be reached at [email protected]. Follow him on Twitter @INNJohnH.