“Taking our data without notice isn’t convenient, it’s creepy.”
Everybody’s favourite big tech giant, Amazon, is facing yet another class-action lawsuit, this time for allegedly deploying biometric recognition technologies to monitor Amazon Go customers in its New York City outlets without their knowledge. According to the lawsuit, Amazon violated a 2021 NYC law which mandates that all business establishments that track their customers’ biometric information, including retail stores, must at least inform their customers that they are doing so. Amazon apparently didn’t.
“The lawsuit was filed in the U.S. District Court for the Southern District of New York on behalf of Brooklyn resident Alfredo Rodriguez Perez and a proposed class of tens of thousands of Amazon Go customers,” says the privacy advocacy group Stop Surveillance Technology Oversight Project. “The complaint claims that from January 2022 to March 13, 2023 Amazon failed to post any sign stating that Amazon Go stores collect biometric data, including for over a month after Mr. Perez told Amazon it violated New York City law by failing to do so.”
Amazon opened its first Go stores in New York in 2019 and now has ten stores in the city, all in Manhattan. The stores operate on the premise that customers can walk in, take whatever products they want off the shelves and leave without checking out. The company monitors visitors’ actions and charges their accounts when they leave the store. It is the epitome of tech-enabled convenience, but it seems that not all New Yorkers are willing to pay the price by trading in their most personal data.
Amazon only recently erected signs informing New York customers of its use of biometric recognition technology, more than a year after the disclosure law went into effect, claims the lawsuit. The company has also allegedly begun posting signs claiming that Amazon only harvests biometric data from customers who opt into the company’s palm scanner program. However, the plaintiffs in the lawsuit claim that the company was collecting biometric data on all customers, such as their body shape and size, including those who refuse to use the palm scanner.
“New Yorkers shouldn’t have to worry that we’ll have our biometric data secretly tracked anytime we want to buy a bag of chips,” said Surveillance Technology Oversight Project Executive Director Albert Fox Cahn. “Taking our data without notice isn’t convenient, it’s creepy. We have a right to know when our biometric data is used, and it’s appalling that one of the world’s largest companies could so flagrantly disregard the law. It’s stunning to think just how many New Yorkers’ data has already been compromised, and without them ever knowing it.”
New York is one of a small but growing handful of US cities that have passed biometric laws over the past couple of years. So far, three states — Texas, Washington and Illinois — have passed standalone biometrics laws, though many more are expected to follow do so this year. In Illinois alone, more than 1,000 class action lawsuits have been filed under the state’s Biometric Information Privacy Act (BIPA). The public is increasingly attuned to biometric privacy risks and as a result the litigation costs are growing for companies, notes the Cybersecurity Law Report:
BIPA applies to companies that collect, capture, purchase, obtain, disclose, or disseminate “biometrics identifiers,” defined as “a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry,” or “biometric information,” defined as any “information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
Companies subject to the law must:
• have a publicly available written biometrics policy;
• obtain an individual’s written consent prior to collection; and
• otherwise comply with the statutory restrictions on biometric use, sale and
storage.The risks of non-compliance are steep: BIPA permits actual damages or liquidated damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation, plus attorneys’ fees and costs and injunctive relief.
The pace of BIPA litigation and settlements has been relentless. Last year, Facebook settled a BIPA class action over its photo-tagging feature for $650 million, and TikTok settled for $92 million over face detection in videos. Microsoft, Google, IBM and others have not escaped scrutiny.
Meanwhile, in Europe…
On the other side of the Atlantic, the push back against the growing use of biometric surveillance systems, by companies and governments alike, is also growing. In the UK, the unmanned store experience offered by Amazon has been such a flop that the company has had to begin opening stores with actual fresh-and-blood human beings serving customers. In 2021, Amazon reportedly had its sights set on opening 260 cashierless supermarkets across the UK by 2025. So far, it has opened just 20 Amazon Fresh locations in the country, all except one of them in London.
Also in the UK, the Information Commissioner (ICO) last month reprimanded the North Ayrshire Council for using facial recognition technology in secondary schools “in a manner that is likely to have infringed data protection law.” Why it took a year-and-a-half for the ICO to reach this conclusion, despite a sustained public backlash against the move, is anyone’s guess…
Read the full article on Naked Capitalism
Nick Corbishley 