Key Definitions:

• • Biometric Identifier: Voiceprint and other unique biological patterns or characteristics used to identify a specific individual.
  • Biometric Information: Any information based on a biometric identifier, regardless of how it’s captured, converted, stored or shared.
  • Written Release: Informed consent authorizing collection of biometric data for a specific purpose, for a specified time period.
  • Private Entity: Any individual, partnership, corporation, LLC, association or other group, however organized.
  • Voiceprint: Distinctive patterns of an individual’s voice used to uniquely identify that person.

BIPA’s Purpose:

• • Protect public welfare, security & safety by regulating biometric collection, use, safeguarding, handling, storage & destruction.
  • Give consumers control over if/how their biometrics are collected and used, as ramifications of biometrics not fully known.
  • Make biometric-driven transactions more secure and readily available, by alleviating privacy concerns through transparency.
  • Hold companies accountable via strict compliance standards and meaningful penalties for violations.
  • Prevent harmful, unintended consequences from unchecked biometric-facilitated financial transactions.

Why It Matters:

• • Biometrics Are Uniquely Sensitive: You can change a credit card number but not your face, fingerprint or voice.
  • Identity Theft & Fraud Risks: Stolen biometrics enable criminals to impersonate you in concerning ways.
  • Permanence When Compromised: Biometrics are often irreplaceable once breached, causing long-term security issues.
  • Covert Collection Potential: Biometrics can be captured without your knowledge, unlike a password you enter.
  • Profitable Data for Companies: Your unique identifiers are valuable for targeted marketing, research and more.

How Voiceprints Work:

• • Voice recordings are analyzed to extract distinctive patterns of pitch, cadence, tone that are unique to each person.
  • Mathematical algorithms convert those patterns into a digital “voiceprint” – a hashed string of characters.
  • Voiceprints can be compared to real-time or recorded speech to assess if two samples are from the same person.
  • Like other biometrics, voiceprints are stable identifiers that can’t be altered and are unique to each individual.
  • Voiceprints raise similar privacy/security concerns as fingerprints or facial recognition if compromised.

Alleged BIPA Violations:

• • Not informing customers in writing that biometrics (voiceprints) were being collected/stored.
  • Not providing written notice of the specific purpose and length of term for biometric collection/storage/use.
  • Not obtaining written releases from customers before collecting their biometric voiceprints.
  • Not making a retention schedule or destruction guidelines publicly available.
  • Continuing to violate BIPA each time a new customer enrolls in Voice ID and on every call where it’s used.

Potential Penalties:

• • Statutory Damages: $1,000 per negligent violation, $5,000 per intentional/reckless one, or actual damages if greater.
  • Injunctive Relief: Court orders requiring Verizon to comply with BIPA requirements moving forward.
  • Attorneys’ Fees & Costs: Plaintiffs’ legal expenses paid if they prevail, incentivizing lawsuits to enforce BIPA.
  • Reputation Damage: Negative publicity from allegations of secretly collecting customer biometrics.
  • Expensive Litigation: Costs of defending a large class action through trial or settlement, which could take years.

15(b) Notice & Consent Requirements:

• • Written Notice of Collection: Must inform subjects in writing that biometric identifiers/information will be collected or stored.
  • Written Notice of Purpose & Term: Must state the specific purpose and length of term for which biometrics will be collected, stored & used.
  • Written Release: Must receive a written release executed by the person or their legally authorized representative.
  • Separate Violations: Each failure to comply with individual notice, purpose, term or release rules is a distinct violation.
  • Ongoing Duty: Requirements apply to initial collection and all subsequent captures or transmissions of the biometrics.

15(a) Retention & Destruction Duties:

• • Written, Public Policy: Must develop a publicly available policy establishing a retention schedule & destruction guidelines.
  • Destroy When Purpose Ends: Biometrics must be permanently destroyed when the initial collection purpose is satisfied.
  • Destroy After 3 Years Max: If purpose ongoing, must permanently destroy within 3 years of individual’s last interaction with entity.
  • Mandatory Compliance: Absent a valid warrant/subpoena, entity must comply with its established retention & destruction policy.
  • Continuing Obligation: Policy must be in place for entire time entity is in possession of the collected biometrics

15(e) Disclosure & Care Requirements:

• • Reasonable Standard of Care: Must protect biometric data using reasonable care for the industry and in a manner as protective as other confidential info.
  • Same As Protecting Other Data: If have other confidential/sensitive info, biometrics must get equivalent or greater protections.
  • Evolving Duty: As technology and best practices change, level of required protection and care may increase over time.
  • Fact-Specific Inquiry: Reasonableness of care depends on nature of data, risks involved, costs of protection, etc.
  • Third Party Transfers: Restrictions and duties apply to initial collector and any downstream entities data is shared with.

Key Hurdles for Verizon:

• • BIPA’s Plain Language: Statute expressly includes “voiceprints” in definition of protected “biometric identifiers”.
  • Strict Consent Requirements: Written release must be a separate, clear affirmative act after required disclosures.
  • Broad Standing Under BIPA: Any person “aggrieved” by a BIPA violation can sue, regardless of additional harm.
  • Statutory Penalties are Aggregated: Liquidated damages apply separately to each individual BIPA violation.
  • Size and Sophistication: As a large, well-resourced corporation, recklessness may be presumed if violations occurred.

Possible Case Outcomes:

• • Class Certification: If class certified, case proceeds on behalf of all IL residents whose voiceprints Verizon collected since 9/13/19.
  • Summary Judgment: Court could decide key legal issues like whether BIPA applies to voiceprints as a matter of law before trial.
  • Settlement: Verizon may pursue an early settlement to cap financial exposure and avoid further litigation costs/risks.
  • Trial: If case doesn’t settle, a jury would decide if Verizon violated BIPA and whether any violations were negligent or reckless.
  • Damages: For any proven violations, Verizon would owe $1,000 (negligent) or $5,000 (reckless) per violation to each class member.

Implications & Considerations:

• • High Stakes for Verizon: With millions of customers, BIPA violations could lead to massive potential damages exposure.
  • Increased Litigation Risk: Case part of growing trend of bet-the-company biometric privacy suits under BIPA.
  • Elevates Biometric Best Practices: Organizations collecting biometrics must closely adhere to latest compliance standards.
  • Impact on Voice Authentication: Companies may be deterred from adopting voiceprints & other biometrics due to liability fears.
  • Highlights Value of Biometric Data: Allegations that Verizon disregarded BIPA underscore growing corporate hunger for biometrics.

Checking Your Voice ID Status:

• • Log into your Verizon account online and check under “Profile” or “Security Settings” for any mentions of Voice ID.
  • Call Verizon customer service (*611 from your mobile) and ask the representative to check if Voice ID is enabled.
  • Note if a voice authentication prompt is used when calling Verizon, as that likely means Voice ID is active.
  • Review your email for any Verizon messages mentioning Voice ID enrollment.
  • Check your Verizon text/chat history for discussions of creating or using a Voice ID.

Unenrolling from Voice ID:

• • Log into your Verizon account, go to “Security Settings”, look for “Voice ID” and choose the disable/delete option.
  • Contact Verizon customer service and request to unenroll from Voice ID and have any existing voiceprint data deleted.
  • Confirm the representative has completed the unenrollment/deletion and request written verification.
  • Follow up with a written request to Verizon to delete your voiceprint and confirm completion, keeping a copy for your records.
  • Be mindful using Voice ID to access your account could be interpreted as consenting to continued voiceprint collection.

When to Seek Legal Advice:

• • Suspicious Account Activity: If you see any unauthorized access or changes to your Verizon account, especially mentioning Voice ID use.
  • Improper Voiceprint Use: If you believe your voiceprint data was collected, disclosed or used by Verizon without following BIPA.
  • Trouble Unenrolling/Deleting: If Verizon is uncooperative in removing Voice ID from your account or confirming biometric data deletion.
  • Exclusion from Class: If a class is certified that you’re not part of, but you feel you have a valid BIPA claim against Verizon.
  • Concerns Over Biometric Practices: If you suspect Verizon or its partners mishandled your voiceprint or didn’t obtain proper consent.

Answers:

1. C. Social Security numbers, while sensitive, are not biometrics. Voiceprints, fingerprints, and retina scans are all specifically named in BIPA’s definition.
2. A. BIPA requires companies to provide written notice that biometrics are being collected, state the purpose and duration, and get a written release.
3. C. BIPA mandates biometric data be destroyed when the initial purpose ends or within 3 years of the individual’s last interaction with the company, whichever is sooner.
4. B. The statutory damages for a negligent violation are $1,000 per violation or actual damages, whichever is greater. For intentional/reckless violations, it’s $5,000 per violation or actual damages.
5. A. BIPA allows any person “aggrieved” by a violation to sue, which IL courts have ruled does not require any harm beyond the statutory violation itself.