The latest Biometric Information and Privacy Act (“BIPA”) lawsuit is not being waged against a luxury brand or cosmetics company over a virtual try-on tool, it has been filed against Prisma Labs – the company behind artificial intelligence (“AI”) image-generating app, Lensa A.I. According to the proposed class action lawsuit that a handful of named plaintiffs lodged with the U.S. District Court for the Northern District of California on February 15, despite “collecting, possessing, storing, using, and profiting from” Lensa users’ biometric identifiers namely, scans of their “facial geometry,” in connection with its creation of custom avatars, Prisma has failed to properly alert users about the biometric data its collects and how it will be stored/destroyed, as required by the Illinois data privacy law.
Setting the stage in the newly filed complaint, Illinois residents Jack Flora, Eric Matson, Nathan Stoner, Courtney Owens, and a minor that is identified by the initials, D.J., (the “plaintiffs”) allege that by way of the Lensa app, Prisma offers users the chance to create “magic” avatars – for a fee – by uploading at least eight photos of themselves and “giving Lensa access to all photos stored on [the] device” they use. “In the process of creating the ‘magic avatars,’” the plaintiffs claim that Prisma “collects the facial geometry associated with the uploaded images,” which it uses to “not only to create the ‘magic avatar,’ but also to train its neural network algorithms to, in Prisma’s words, ‘perform better and show [users] better results.’”
The problem with this, according to the plaintiffs, is that Prisma has failed to adhere to the tenets of Illinois’ BIPA, which requires private entities that collect biometric data to: (i) implement and make publicly available a written policy that includes “a retention schedule and guidelines for permanently destroying [users’] biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of [an] individual’s last interaction with the [company], whichever occurs first;” (ii) inform data subjects in writing of the specific purpose for collection, as well as the actual use and storage practices; and (iii) obtain a written release from data subjects consenting to the disclosed collection, use, and storage practices.
Instead of explicitly stating that it collects/stores “facial geometry” data, the plaintiffs assert that Primsa says that it “collect[s] and store[s] your Face Data,” which it defines as “images (photo or video) that you provide us in or through Lensa, and/or other information related to human faces obtained from your images.” According to Prisma’s policy, that data is “automatically deleted within 24 hours after being processed by Lensa,” and for those using the Lensa “Magic Avatars feature,” the company states “the photos are automatically deleted after the AI results are generated.”
The plaintiffs argue that this collection language is insufficient under BIPA, as Prisma is “conflating photographs and ‘other information related to human faces,’” which is “not a disclosure of the fact that [it] is collecting biometric identifiers and biometric information.” The language is also an issue, the plaintiffs claim, because Prisma’s policy “only mentions destruction of photographs, not of the biometric data associated with the user and biometric data obtained from the photographs.” As such, they argue that the company “has no written policy” for how it permanently destroys users’ biometric identifiers and information.
Instead, the plaintiffs contend that despite “suggesting” that it deletes users’ biometric data within 24 hours of them creating a “magic avatar,” Prisma “retains Lensa users’ biometric data in a non-anonymized fashion … for uses wholly unrelated to the [their] purpose for using Lensa,” (i.e., to “train its neural network(s) and thereby improve the app”). Accordingly, the plaintiffs maintain that Prisma “has not informed [users] in writing of the specific purpose and length of term for which their biometric identifiers or biometric information is collected or stored.”
With the foregoing in mind, the plaintiffs allege that Prisma is violating sections 15(a) to 15(d) of BIPA. In addition to seeking certification of their class action suit, which involves “100 or more class members” and a damages sum that exceeds the $5 million threshold, the plaintiffs are seeking damages, as well as “equitable, injunctive and declaratory relief.”
A rep for Prisma Labs told TFL, “At Prisma Labs, user privacy is of the utmost importance to us. We consider these allegations to be baseless and intend to vigorously defend against them.”
The case is Jack Flora, et al., v. Prisma Labs, Inc., 5:23-cv-00680 (N.D. Cal.)