Image: Lensa

The latest Biometric Information and Privacy Act (“BIPA”) lawsuit is not being waged against a luxury brand or cosmetics company over a virtual try-on tool, it has been filed against Prisma Labs – the company behind artificial intelligence (“AI”) image-generating app, Lensa A.I. According to the proposed class action lawsuit that a handful of named plaintiffs lodged with the U.S. District Court for the Northern District of California on February 15, despite “collecting, possessing, storing, using, and profiting from” Lensa users’ biometric identifiers namely, scans of their “facial geometry,” in connection with its creation of custom avatars, Prisma has failed to properly alert users about the biometric data its collects and how it will be stored/destroyed, as required by the Illinois data privacy law

Setting the stage in the newly filed complaint, Illinois residents Jack Flora, Eric Matson, Nathan Stoner, Courtney Owens, and a minor that is identified by the initials, D.J., (the “plaintiffs”) allege that by way of the Lensa app, Prisma offers users the chance to create “magic” avatars – for a fee – by uploading at least eight photos of themselves and “giving Lensa access to all photos stored on [the] device” they use. “In the process of creating the ‘magic avatars,’” the plaintiffs claim that Prisma “collects the facial geometry associated with the uploaded images,” which it uses to “not only to create the ‘magic avatar,’ but also to train its neural network algorithms to, in Prisma’s words, ‘perform better and show [users] better results.’” 

The problem with this, according to the plaintiffs, is that Prisma has failed to adhere to the tenets of Illinois’ BIPA, which requires private entities that collect biometric data to: (i) implement and make publicly available a written policy that includes “a retention schedule and guidelines for permanently destroying [users’] biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of [an] individual’s last interaction with the [company], whichever occurs first;” (ii) inform data subjects in writing of the specific purpose for collection, as well as the actual use and storage practices; and (iii) obtain a written release from data subjects consenting to the disclosed collection, use, and storage practices. 

Prisma falls short here for a number of reasons, according to the plaintiffs, who allege that it “has not informed [users of the Lensa app] in writing” that it collects and/or stores their “facial geometry,” which falls within the statute’s definitions of “biometric identifiers” and “biometric information.” While Prisma maintains a Privacy Policy, which “purports to disclose the information [it] collects directly from its users … notably absent from this list is any reference to the facial geometry used to create the magic avatars.” 

Lensa app

Instead of explicitly stating that it collects/stores “facial geometry” data, the plaintiffs assert that Primsa says that it “collect[s] and store[s] your Face Data,” which it defines as “images (photo or video) that you provide us in or through Lensa, and/or other information related to human faces obtained from your images.” According to Prisma’s policy, that data is “automatically deleted within 24 hours after being processed by Lensa,” and for those using the Lensa “Magic Avatars feature,” the company states “the photos are automatically deleted after the AI results are generated.” 

The plaintiffs argue that this collection language is insufficient under BIPA, as Prisma is “conflating photographs and ‘other information related to human faces,’” which is “not a disclosure of the fact that [it] is collecting biometric identifiers and biometric information.” The language is also an issue, the plaintiffs claim, because Prisma’s policy “only mentions destruction of photographs, not of the biometric data associated with the user and biometric data obtained from the photographs.” As such, they argue that the company “has no written policy” for how it permanently destroys users’ biometric identifiers and information. 

Instead, the plaintiffs contend that despite “suggesting” that it deletes users’ biometric data within 24 hours of them creating a “magic avatar,” Prisma “retains Lensa users’ biometric data in a non-anonymized fashion … for uses wholly unrelated to the [their] purpose for using Lensa,” (i.e., to “train its neural network(s) and thereby improve the app”). Accordingly, the plaintiffs maintain that Prisma “has not informed [users] in writing of the specific purpose and length of term for which their biometric identifiers or biometric information is collected or stored.” 

Finally, Prisma’s “policy also fails to disclose the ways in which [it] profits from the biometric data,” the plaintiffs contend, alleging that Section 5 of its Privacy Policy states that “the company uses the photos it collects to train its AI without disclosing that it is, in fact, extracting the users’ biometric identifiers from the photos to do so.” The plaintiffs assert that Prisma previously revealed in its policy that it “use[s] your photos and videos to train our algorithms to perform better and show you better results” and does its “best to minimise the data that we receive.” However, they allege that this language “was not included in the Privacy Policy prior to the December 2, 2022 update, and it is not included in the December 15, 2022 Privacy Policy.” 

“It is telling,” the plaintiffs assert, that “the clearest statement made by Prisma that it is collecting users’ biometric identifiers and biometric information and retaining such data for an indeterminate period of time – accompanied only by a vague assurance that ‘we do our best’ to protect such data – was quickly excised from the Privacy Policy.” They argue that Prisma is “not only currently failing to disclose [its data collection/storage] practices, but is intentionally keeping users from finding out,” thereby, “acquiring vast amounts of individuals’ biometric data” and “making a great deal of money from providing its users with ‘magic avatars’” in the process. 

With the foregoing in mind, the plaintiffs allege that Prisma is violating sections 15(a) to 15(d) of BIPA. In addition to seeking certification of their class action suit, which involves “100 or more class members” and a damages sum that exceeds the $5 million threshold, the plaintiffs are seeking damages, as well as “equitable, injunctive and declaratory relief.”

A rep for Prisma Labs told TFL, “At Prisma Labs, user privacy is of the utmost importance to us. We consider these allegations to be baseless and intend to vigorously defend against them.”

UPDATED (Aug. 8, 2023): A N.D. Cal. judge sided with Prisma Labs, granting its motion to compel arbitration in the proposed class action, despite the plaintiffs’ arguments that the arbitration provision in Lensa’s terms is unconscionable and that “because some provisions in the arbitration agreement arguably fall below JAMS’ Consumer Arbitration Minimum Standards, the arbitration provision is illusory.”

The case is Jack Flora, et al., v. Prisma Labs, Inc., 5:23-cv-00680 (N.D. Cal.)