A lawsuit filed on Friday claims that Amazon.com Inc., through its cloud computing subsidiary, violated the Illinois Biometric Information Privacy Act (BIPA) rights of a sixteen-year-old video gamer. The complaint, filed by the guardian of the Illinois minor, was filed against Amazon for their role in providing cloud computing services to the game’s developer.
The filing asserts that basketball simulation video game NBA 2K is paired with a companion app, which allows users to scan their faces and upload them onto a player in the game. They say the app illegally captured and stored the minor’s facial geometry, a unique biometric identifier.
The Seattle, Washington filing explains that Amazon provides cloud computing services to Take 2 Interactive Software Inc. and its wholly owned publisher subsidiary 2K Games Inc. (together, Take 2). The defendants reportedly provide “servers, computing, storage, and … the infrastructure to deliver [Take 2’s] games to internet-connected gaming platforms.”
Beginning in 2016, Take 2 released the companion app, which among other things, allows players to redeem game codes, obtain video game information and news, and customize their in-game characters. In addition, the app offers players a “SCAN YOUR FACE” feature, requiring “that a user log in to their gaming platform account, then pose their face in thirteen different directions while taking pictures with their mobile device in front of their face.”
In the plaintiff’s experience, once his face geometry was created, Amazon “transmitted it via CloudFront through the AWS/Amazon Regional Edge Cache/Edge Location system described above and delivered it to [the plaintiff’s] Xbox One at his home in Illinois,” among other usages.
Critically, the filing explains, Amazon violated the user’s BIPA rights by failing to inform him in writing that it was collecting or storing his biometric data, the purpose for which it was collected, and the length of time it was retained. Among other alleged wrongs, Amazon failed to obtain consent and to maintain and publicize the requisite policy, including a retention schedule and guidelines for the data’s permanent destruction.
The plaintiff seeks to certify a class of similarly situated adult Illinois residents and a subclass of Illinois minors. He seeks statutory damages of $1,000 for each BIPA violation and $5,000 for each wilful violation. The minor also requests injunctive relief halting the purportedly illegal data collection practices and an award of his attorneys’ fees and court costs.