Amazon Claims Student’s Biometric Data Collection Suit is Impermissible Expansion of BIPA Liability

Amazon Web Services Inc. (AWS) has fired back at allegations that it secretly collects biometric information from Illinois residents in violation of the Illinois Biometric Information Privacy Act (BIPA). Monday’s motion to dismiss and strike the student plaintiff’s class action contentions argues that the novel suit is a “brazen attempt” to expand BIPA liability “far beyond what its authors could have possibly intended.”

The complaint, filed several months ago in Seattle, Wash., asserts that AWS provides a facial recognition service called Amazon Rekognition that allegedly collects biometric data from its clients’ users. The case centers around the example of ProctorU, online test-taking software used by educational institutions that employs facial recognition technology to verify identity. Purportedly, when students, including the plaintiff, upload their images to ProctorU, they are also uploading their photos to ProctorU’s cloud-service provider, AWS. 

In addition, AWS allegedly uses Rekognition to perform facial recognition to match the test taking student with their identification card. “In other words, when students sign in to ProctorU to take a test, their biometric data is also collected by AWS in order to identify the student for ProctorU,” the complaint states.

The plaintiff seeks to represent a class of all Illinois residents who had their biometric information obtained by Amazon’s Rekognition service and stored on AWS’s servers.

In this week’s dismissal motion, AWS says the complaint is misguided for a number of reasons and accuses the plaintiff of targeting Amazon, because of its “deep pockets,” rather than the higher learning institutions that required her to use ProctorU.

AWS claims that back-end service providers are not liable under BIPA because such a reading is inconsistent with the law. “Plaintiff does not, and cannot, allege that AWS ‘possessed’ or ‘collected’ her data within the meaning of BIPA, and she therefore cannot allege that BIPA applies to AWS at all,” the motion states.

The complaint is also geographically challenged, AWS argues, pointing out that applying BIPA to AWS’s “wholly out-of-state conduct,” would violate the U.S. Constitution’s Dormant Commerce Clause.

AWS further defends on grounds that BIPA does not apply to financial institutions subject to the federal Gramm-Leach-Bliley Act, which includes the colleges the plaintiff attended. The argument continues that “[f]orcing AWS to comply with BIPA’s requirements in this context inevitably would force Plaintiff’s colleges to comply with BIPA, too,” a notion purportedly contrary to the statute’s plain language. Lastly, AWS asserts that the plaintiff’s class allegations must be stricken under Rule 12(f) as “patently overbroad.”

Oral argument is requested. The case is before Judge John H. Chun of the Western District of Washington.

Carson Noel PLLC, Edelson PC, Bursor & Fisher P.A., and Carney Bates and Pulliam PLLC are counsel for the plaintiff while Perkins Coie LLP represents Amazon.

While this case is against Amazon Web Services, ProctorU was previously sued in March 2021 for biometrics violations following a data breach.