Target Illegally Collects Customers’ Biometric Data, Class Action Lawsuit Alleges – John-Michael Dumais 4/16/24


Retail giant Target illegally collected and stored customers’ biometric data, including face and fingerprint scans, according to an Illinois woman who filed a class action lawsuit against the Minnesota-based company on behalf of herself and other customers.

Arnetta Dean alleges Target violated Illinois’ Biometric Information Privacy Act (BIPA) by collecting customers’ data without obtaining written consent or sharing data retention and destruction policies.

The lawsuit, filed on March 11 in the Circuit Court of Cook County, Illinois, also claims the company did not provide the necessary disclosures or allow customers to opt out of the data collection practices.

Plaintiffs seek statutory damages of $5,000 for each intentional or reckless violation of the law and $1,000 for each violation found to be negligent. They also seek to recoup attorneys’ fees and other litigation expenses.

The lawsuit also seeks injunctive relief to prevent Target from further violating the biometric privacy rights of Illinois residents.

A hearing in the case is scheduled for July 10.

Target uses ‘advanced behavior analysis’ to detect shoplifters

Dean, an Illinois resident, filed the lawsuit after allegedly having her biometric data collected without consent during visits to the retailer’s stores.

According to NBC Chicago, Target allegedly employs advanced facial recognition technology in its stores to prevent theft.

The suit cites a Target investigations center leader who said, “[W]e are using state-of-the-art equipment to gather as much intelligence as possible, reduce business risks, and take down criminals.”

The lawsuit alleges Target “operates one of the largest and most advanced networks of cameras” and has developed an advanced system of electronic surveillance that includes 14 investigation centers and two forensic labs “to enhance video footage and analyze fingerprints.”

A former Target manager wrote in a thread on Quora that Target takes photos every time customers step on and off the property, builds a database of them wandering through the store, and uses “incredibly advanced behavior analysis and facial recognition software” to detect potential shoplifters, according to the lawsuit.

According to another post, “Target has an actual crime lab that’s so good government agencies come to them for help … [and] are the only retailer that uses DNA and fingerprints to identify and help catch rings of professional shoplifters.”

Customers who frequent the store but do not make a purchase “are going to be suspected of being shoplifters, and they will be scrutinized more closely,” according to a third Quora post.

The lawsuit references “an entire TikTok page of videos” where consumers and former employees discuss Target’s surveillance system.

Background on BIPA

Passed in 2008, Illinois’ BIPA safeguards residents’ biometric data, such as facial scans and fingerprints.

The act recognizes the unique nature of biometric information, emphasizing that, unlike other personal data like social security numbers, biometric identifiers cannot be easily changed if compromised. This makes people particularly vulnerable to identity theft and other risks if their biometric data is mishandled.

Under BIPA, companies collecting biometric data in Illinois must follow strict guidelines.

First, they must inform individuals in writing that their biometric information is being collected and specify the purpose and duration of its use.

Second, they must obtain a written release from the individual before collecting the data.

Third, companies must develop and make publicly available a retention schedule and guidelines for permanently destroying the collected biometric data.

Violating BIPA can result in significant penalties for companies, including damages ranging from $1,000 for each negligent violation to $5,000 for each intentional or reckless violation, liability for attorneys’ fees and other litigation expenses — precisely the relief the plaintiffs in the current lawsuit are seeking.

Similar lawsuits and settlements

BIPA, unique to Illinois, provides protections rarely granted by other states’s laws. This has led to “hundreds of David-and-Goliath legal battles against some of the world’s most powerful companies,” some resulting in huge settlements, according to NBC Chicago.

In recent years, several tech giants have found themselves in the crosshairs of Illinois’ biometric privacy law. The most notable case involves Facebook, which settled a class action lawsuit for $650 million in 2022. The social media behemoth was accused of collecting and storing digital scans of users’ faces without permission. As a result, over 1 million Illinois Facebook users received checks for nearly $400 each.

Google, Snapchat and TikTok also faced their own BIPA lawsuits.

Google was accused of violating BIPA through its Google Photos service, which between 2015 and 2022 allegedly collected and stored biometric data of Illinois residents who appeared in photos uploaded to the platform.

Snapchat, meanwhile, landed in trouble over claims that it illegally collected users’ biometric information through its filters and lenses, resulting in a $35 million settlement in 2022.

As for TikTok, the popular video-sharing app in 2022 reached a $92 million multistate settlement in a class action lawsuit, with Illinois claimants receiving the biggest share of the payout due to BIPA.

In November 2023, an Illinois federal court allowed a class action lawsuit against Amazon to proceed, alleging the company’s Alexa devices violated BIPA by collecting users’ voiceprints without proper notice and consent.

In another significant 2023 BIPA decision, the Illinois Supreme Court held in Cothron v. White Castle System Inc. that a BIPA violation occurs each time an entity collects or discloses biometric information without consent, not just the first time.

The case involved a class of employees who accused White Castle of repeatedly collecting and disclosing their fingerprints without consent through a system used to access pay stubs and computers.

BIPA lawsuits in Illinois reportedly increased by nearly two-thirds, to 122 cases in the two months following the Supreme Court’s seminal ruling.

In a smaller Illinois case, the sandwich shop chain Pret a Manger paid over $677,000 to resolve a class action lawsuit that accused it of collecting and storing the fingerprints of nearly 800 employees through its time-keeping system without providing prior notice to the affected workers, as required by BIPA.