U.S. District Judge Nancy J. Rosenstengel of the Southern District of Illinois granted class certification on Friday in a major biometric privacy lawsuit against Apple Inc. The ruling clears the path for a class action under the Illinois Biometric Information Privacy Act, exposing the company to potential billions in statutory damages for allegedly collecting faceprints from millions of Illinois users without notice or consent.
Judge Rosenstengel ruled that common questions regarding Apple’s data collection practices predominate over individual issues.
The suit alleges that Apple’s Photos app automatically scans facial geometry to create unique faceprints for people detected in users’ photo libraries. Plaintiffs claim Apple collected and stored this biometric data on its servers via iCloud without providing the written disclosures or obtaining the informed consent required by BIPA.
The court certified three distinct groups: a “Local Device Class” of approximately 6.5 million Illinois citizens whose devices placed a photo in a People album since September 13, 2016; an “iCloud Subclass” of about 1 million users who enabled iCloud photo storage; and an “iCloud Faceprint Subclass” of up to 2.6 million users who met specific criteria, including having at least 5,000 photos or videos, at any time between March 25, 2025, and the present.
Apple had argued that individualized inquiries into whether users labeled their photos with personal identifying information would defeat class certification. The court rejected that argument, holding that whether Apple collected biometric data capable of identifying users is a question that can be resolved on a classwide basis.
The court also rejected Apple’s contention that determining where users were located when they took photos would require mini-trials for each class member. Citing Ninth Circuit precedent, the court noted that it is reasonable to infer BIPA applies to Illinois residents even if some activities occur outside the state, and that Apple possesses location data that could help resolve those questions.
BIPA allows for liquidated damages of $1,000 for negligent violations and $5,000 for intentional or reckless ones. A 2024 amendment to the statute limits liability to a single violation per person for the same method of collection, a change the Seventh Circuit has ruled applies retroactively to pending cases.
Apple argued that the named plaintiffs were inadequate representatives because they lacked a sophisticated understanding of the law and were recruited through online advertisements. The court found the plaintiffs had a basic understanding of their claims and were adequate to represent the class, noting that class actions are typically managed by counsel rather than the named parties.
The order appoints Schlichter Bogard LLP and Montroy Law Offices, LLC as class counsel. The court noted that counsel has diligently represented the interests of the putative classes for the past six years.
Apple estimates that approximately 2.6 million Illinois users received the July 2024 software update and have at least 5,000 assets in their Photos app, a practice plaintiffs allege violates BIPA’s consent requirements.