by LawInc Staff
September 22, 2024
If you’re a Verizon or Verizon Wireless customer in Illinois who used their “Voice ID” feature, you may be part of a major class action lawsuit alleging violations of the Illinois Biometric Information Privacy Act (BIPA). This guide provides an in-depth look at the case, the claims, the law, and what it could mean for you.
From how Voice ID works to the strict requirements of BIPA, the potential penalties Verizon faces, and how to protect your privacy rights, get all the essential details on this high-stakes biometric privacy litigation.
1. Understanding The Illinois BIPA Law
-
- “Biometric Identifier” Definition: Includes voiceprints, fingerprints, face/hand scans, retina/iris scans.
- Strict Notice & Consent Rules: Companies must provide written notice and obtain written releases before collecting biometrics.
- Data Retention Limits & Destruction: Policies required on retention schedule and guidelines for permanently destroying biometrics.
- No Profits from Biometric Data: Bans companies from selling, trading, or otherwise profiting from customer biometrics.
- Statutory Penalties: Provides for $1,000 or actual damages (whichever is greater) for negligent violations, $5,000 for intentional/reckless ones.
Key Definitions:
-
- Biometric Identifier: Voiceprint and other unique biological patterns or characteristics used to identify a specific individual.
- Biometric Information: Any information based on a biometric identifier, regardless of how it’s captured, converted, stored or shared.
- Written Release: Informed consent authorizing collection of biometric data for a specific purpose, for a specified time period.
- Private Entity: Any individual, partnership, corporation, LLC, association or other group, however organized.
- Voiceprint: Distinctive patterns of an individual’s voice used to uniquely identify that person.
BIPA’s Purpose:
-
- Protect public welfare, security & safety by regulating biometric collection, use, safeguarding, handling, storage & destruction.
- Give consumers control over if/how their biometrics are collected and used, as ramifications of biometrics not fully known.
- Make biometric-driven transactions more secure and readily available, by alleviating privacy concerns through transparency.
- Hold companies accountable via strict compliance standards and meaningful penalties for violations.
- Prevent harmful, unintended consequences from unchecked biometric-facilitated financial transactions.
Why It Matters:
-
- Biometrics Are Uniquely Sensitive: You can change a credit card number but not your face, fingerprint or voice.
- Identity Theft & Fraud Risks: Stolen biometrics enable criminals to impersonate you in concerning ways.
- Permanence When Compromised: Biometrics are often irreplaceable once breached, causing long-term security issues.
- Covert Collection Potential: Biometrics can be captured without your knowledge, unlike a password you enter.
- Profitable Data for Companies: Your unique identifiers are valuable for targeted marketing, research and more.
2. How Verizon’s Voice ID System Works
-
- Enrollment Process: Customers sent text/email link, directed to site to create Voice ID by repeating a passphrase.
- Voiceprint Collection: System captures a recording and creates an individual voiceprint during setup.
- Authenticating Callers: On later calls, customer speaks and Voice ID compares to stored voiceprint to verify identity.
- Applies Across Services: Voice ID used to access wireless, Fios internet/TV, and other Verizon accounts.
- Vague Consent Language: Enrollment flow has brief, broad references to “Voice ID” but no express BIPA disclosures/consent.
How Voiceprints Work:
-
- Voice recordings are analyzed to extract distinctive patterns of pitch, cadence, tone that are unique to each person.
- Mathematical algorithms convert those patterns into a digital “voiceprint” – a hashed string of characters.
- Voiceprints can be compared to real-time or recorded speech to assess if two samples are from the same person.
- Like other biometrics, voiceprints are stable identifiers that can’t be altered and are unique to each individual.
- Voiceprints raise similar privacy/security concerns as fingerprints or facial recognition if compromised.
Alleged BIPA Violations:
-
- Not informing customers in writing that biometrics (voiceprints) were being collected/stored.
- Not providing written notice of the specific purpose and length of term for biometric collection/storage/use.
- Not obtaining written releases from customers before collecting their biometric voiceprints.
- Not making a retention schedule or destruction guidelines publicly available.
- Continuing to violate BIPA each time a new customer enrolls in Voice ID and on every call where it’s used.
Potential Penalties:
-
- Statutory Damages: $1,000 per negligent violation, $5,000 per intentional/reckless one, or actual damages if greater.
- Injunctive Relief: Court orders requiring Verizon to comply with BIPA requirements moving forward.
- Attorneys’ Fees & Costs: Plaintiffs’ legal expenses paid if they prevail, incentivizing lawsuits to enforce BIPA.
- Reputation Damage: Negative publicity from allegations of secretly collecting customer biometrics.
- Expensive Litigation: Costs of defending a large class action through trial or settlement, which could take years.
3. The Legal Claims Against Verizon
-
- Claim #1 – 740 ILCS 14/15(b): Failure to inform in writing & obtain written releases before capturing voiceprints.
- Claim #2 – 740 ILCS 14/15(a): Failure to provide a public retention schedule & destruction guidelines for collected biometrics.
- Claim #3 – 740 ILCS 14/15(e): Failure to protect biometric data from disclosure using reasonable care standards.
- Intentional/Reckless Conduct: Verizon allegedly knew BIPA’s rules but intentionally or recklessly failed to comply.
- Class Action Treatment: Case brought on behalf of all IL residents whose voiceprints Verizon captured via Voice ID since 9/13/19.
15(b) Notice & Consent Requirements:
-
- Written Notice of Collection: Must inform subjects in writing that biometric identifiers/information will be collected or stored.
- Written Notice of Purpose & Term: Must state the specific purpose and length of term for which biometrics will be collected, stored & used.
- Written Release: Must receive a written release executed by the person or their legally authorized representative.
- Separate Violations: Each failure to comply with individual notice, purpose, term or release rules is a distinct violation.
- Ongoing Duty: Requirements apply to initial collection and all subsequent captures or transmissions of the biometrics.
15(a) Retention & Destruction Duties:
-
- Written, Public Policy: Must develop a publicly available policy establishing a retention schedule & destruction guidelines.
- Destroy When Purpose Ends: Biometrics must be permanently destroyed when the initial collection purpose is satisfied.
- Destroy After 3 Years Max: If purpose ongoing, must permanently destroy within 3 years of individual’s last interaction with entity.
- Mandatory Compliance: Absent a valid warrant/subpoena, entity must comply with its established retention & destruction policy.
- Continuing Obligation: Policy must be in place for entire time entity is in possession of the collected biometrics
15(e) Disclosure & Care Requirements:
-
- Reasonable Standard of Care: Must protect biometric data using reasonable care for the industry and in a manner as protective as other confidential info.
- Same As Protecting Other Data: If have other confidential/sensitive info, biometrics must get equivalent or greater protections.
- Evolving Duty: As technology and best practices change, level of required protection and care may increase over time.
- Fact-Specific Inquiry: Reasonableness of care depends on nature of data, risks involved, costs of protection, etc.
- Third Party Transfers: Restrictions and duties apply to initial collector and any downstream entities data is shared with.
4. Potential Defenses Verizon May Raise
-
- Voiceprints Aren’t “Biometric Identifiers”: May argue Voice ID doesn’t collect biometric data covered by BIPA.
- Consent Was Obtained: Could claim consent language in enrollment process or service terms constitutes written release.
- Plaintiffs Lack Standing: May challenge named plaintiffs’ right to sue by disputing their Voice ID enrollment/use.
- Damages Are Excessive: Could argue statutory penalties of $1,000/$5,000 per violation violate due process.
- Any Violations Not Intentional/Reckless: May say no proof of required mental state for enhanced $5,000 penalties.
Key Hurdles for Verizon:
-
- BIPA’s Plain Language: Statute expressly includes “voiceprints” in definition of protected “biometric identifiers”.
- Strict Consent Requirements: Written release must be a separate, clear affirmative act after required disclosures.
- Broad Standing Under BIPA: Any person “aggrieved” by a BIPA violation can sue, regardless of additional harm.
- Statutory Penalties are Aggregated: Liquidated damages apply separately to each individual BIPA violation.
- Size and Sophistication: As a large, well-resourced corporation, recklessness may be presumed if violations occurred.
Possible Case Outcomes:
-
- Class Certification: If class certified, case proceeds on behalf of all IL residents whose voiceprints Verizon collected since 9/13/19.
- Summary Judgment: Court could decide key legal issues like whether BIPA applies to voiceprints as a matter of law before trial.
- Settlement: Verizon may pursue an early settlement to cap financial exposure and avoid further litigation costs/risks.
- Trial: If case doesn’t settle, a jury would decide if Verizon violated BIPA and whether any violations were negligent or reckless.
- Damages: For any proven violations, Verizon would owe $1,000 (negligent) or $5,000 (reckless) per violation to each class member.
Implications & Considerations:
-
- High Stakes for Verizon: With millions of customers, BIPA violations could lead to massive potential damages exposure.
- Increased Litigation Risk: Case part of growing trend of bet-the-company biometric privacy suits under BIPA.
- Elevates Biometric Best Practices: Organizations collecting biometrics must closely adhere to latest compliance standards.
- Impact on Voice Authentication: Companies may be deterred from adopting voiceprints & other biometrics due to liability fears.
- Highlights Value of Biometric Data: Allegations that Verizon disregarded BIPA underscore growing corporate hunger for biometrics.
5. What Voice ID Users Can Do
-
- Preserve Your BIPA Rights: Avoid disclaiming your rights through waivers or arbitration agreements when possible.
- Document Your Enrollment/Use: Save any emails, texts, screenshots or other records of your Voice ID enrollment and use.
- Monitor Case Developments: Follow the lawsuit’s progress, as a class may be certified that you’re automatically part of.
- Consider Opting Out of Voice ID: You may be able to avoid further BIPA violations by unenrolling from Voice ID if not needed.
- Consult With an Attorney: If you believe your BIPA rights were violated, speaking with a lawyer can help assess your options.
Checking Your Voice ID Status:
-
- Log into your Verizon account online and check under “Profile” or “Security Settings” for any mentions of Voice ID.
- Call Verizon customer service (*611 from your mobile) and ask the representative to check if Voice ID is enabled.
- Note if a voice authentication prompt is used when calling Verizon, as that likely means Voice ID is active.
- Review your email for any Verizon messages mentioning Voice ID enrollment.
- Check your Verizon text/chat history for discussions of creating or using a Voice ID.
Unenrolling from Voice ID:
-
- Log into your Verizon account, go to “Security Settings”, look for “Voice ID” and choose the disable/delete option.
- Contact Verizon customer service and request to unenroll from Voice ID and have any existing voiceprint data deleted.
- Confirm the representative has completed the unenrollment/deletion and request written verification.
- Follow up with a written request to Verizon to delete your voiceprint and confirm completion, keeping a copy for your records.
- Be mindful using Voice ID to access your account could be interpreted as consenting to continued voiceprint collection.
When to Seek Legal Advice:
-
- Suspicious Account Activity: If you see any unauthorized access or changes to your Verizon account, especially mentioning Voice ID use.
- Improper Voiceprint Use: If you believe your voiceprint data was collected, disclosed or used by Verizon without following BIPA.
- Trouble Unenrolling/Deleting: If Verizon is uncooperative in removing Voice ID from your account or confirming biometric data deletion.
- Exclusion from Class: If a class is certified that you’re not part of, but you feel you have a valid BIPA claim against Verizon.
- Concerns Over Biometric Practices: If you suspect Verizon or its partners mishandled your voiceprint or didn’t obtain proper consent.
Summary
The class action lawsuit against Verizon for alleged violations of Illinois’ Biometric Information Privacy Act highlights the growing risks companies face when collecting and using customer biometric data like voiceprints.
With statutory penalties of up to $5,000 per violation, potential damages could be significant if the claims are proven. The case underscores the importance of transparency, consent and data security when dealing with sensitive biometric identifiers.
For anyone who has used Verizon’s Voice ID system, staying apprised of developments in the litigation is prudent. Unenrolling from the service and consulting with an attorney are steps to consider for those concerned about their biometric privacy.
Quiz: Test Your BIPA & Biometric Privacy Knowledge
- Which of the following is NOT considered a “biometric identifier” under BIPA?
- Voiceprint
- Fingerprint
- Social Security Number
- Retina Scan
- Before collecting biometric data, a company must:
- Inform the individual in writing and obtain a written release
- Provide 30 days advance notice
- Get verbal consent while recording the individual
- No specific notice or consent is required
- How long can a company keep biometric data under BIPA?
- No specific limit as long as it’s secure
- 1 year from collection date
- Until the initial purpose is satisfied, or 3 years from last interaction with the individual
- 5 years from collection unless individual requests earlier deletion
- What are the potential statutory damages for a negligent BIPA violation?
- $100 per violation
- $1,000 per violation
- Actual damages only
- No statutory damages for negligent violations
- To have standing to sue under BIPA, an individual must:
- Be “aggrieved” by a violation, with no additional harm required
- Show monetary damages from the violation
- Have been an identity theft victim due to the violation
- Demonstrate severe emotional distress caused by the violation
Answers:
- C. Social Security numbers, while sensitive, are not biometrics. Voiceprints, fingerprints, and retina scans are all specifically named in BIPA’s definition.
- A. BIPA requires companies to provide written notice that biometrics are being collected, state the purpose and duration, and get a written release.
- C. BIPA mandates biometric data be destroyed when the initial purpose ends or within 3 years of the individual’s last interaction with the company, whichever is sooner.
- B. The statutory damages for a negligent violation are $1,000 per violation or actual damages, whichever is greater. For intentional/reckless violations, it’s $5,000 per violation or actual damages.
- A. BIPA allows any person “aggrieved” by a violation to sue, which IL courts have ruled does not require any harm beyond the statutory violation itself.
Need Legal Help?
If you need legal assistance, in any field of law, our free concierge service can connect you with experienced attorneys in any practice area and state. Contact us to learn more.
Also See
Unfair ATM Fees? Get Your Money Back from Visa & Mastercard’s $197.5 Million Payout
Navient’s $120M Bombshell: The Student Loan Scandal That Rocked the Nation