Apple Faces 10-Million-Member Class Action Over Faceprint Collection

SPRINGFIELD (LN) — A federal judge on Friday granted class certification in a major biometric privacy lawsuit against Apple Inc., clearing the path for millions of Illinois users to sue the company for allegedly harvesting faceprints through its Photos app without providing required disclosures or obtaining written consent.

U.S. District Judge Nancy J. Rosenstengel of the Southern District of Illinois certified three classes totaling approximately 10 million members, rejecting Apple’s argument that individualized questions about user behavior would defeat class treatment.

The ruling exposes Apple to potential liability in the billions. Under Illinois’ Biometric Information Privacy Act, or BIPA, plaintiffs can recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. A 2024 amendment to the statute limits recovery to a single violation per person for the same method of collection, but the sheer size of the certified class keeps the financial stakes enormous.

Plaintiffs allege that Apple’s Photos app, which comes pre-installed on iPhones, iPads, and Macs, uses facial recognition technology to scan face geometries and create unique “faceprints” for people detected in users’ photo libraries. The suit claims Apple began syncing this biometric data to its iCloud servers in 2017 and, as of July 2024, began storing the faceprints themselves directly on its servers for users with large photo libraries.

Apple opposed certification, arguing that whether the data constituted biometric identifiers depended on whether individual users labeled their photo albums with personal identifying information. The company also contended that determining where users were located when they took photos required individualized inquiries that would overwhelm common questions.

The court disagreed, holding that whether Apple collected biometric data capable of identifying users was a common question resolvable on a classwide basis. It noted that Apple possesses user location data and could use common proof to determine where relevant activities occurred.

Rosenstengel wrote that Apple’s focus on individual location questions was a distraction from the common issues connecting all plaintiffs, specifically whether Apple collected or possessed biometric identifiers without complying with BIPA.

The court certified a “Local Device Class” of approximately 6.5 million Illinois citizens whose devices placed a photograph of them into a People album between September 2016 and the present.

It also certified an “iCloud Subclass” of about 1 million members who enabled iCloud photo storage.

Finally, it certified an “iCloud Faceprint Subclass” of up to 2.6 million members who met specific storage and software requirements beginning in March 25, 2025.

Apple argued that the named plaintiffs were inadequate representatives because some did not understand the nature of their claims or BIPA itself, characterizing the suit as lawyer-driven litigation with plaintiffs serving as figureheads. The court rejected that characterization, noting that class representatives are not required to have an advanced understanding of the law and that the record showed the named plaintiffs had a basic understanding of their claims and roles.

Schlichter Bogard LLP and Montroy Law Offices, LLC were appointed as class counsel. The firms have represented the putative classes for six years and have been appointed as class counsel in more than 40 cases, according to the order.

The certification order does not address the merits of Apple’s liability or the ultimate damages award, which will be determined in subsequent phases of the litigation.