Driver-monitoring technology faces increased exposure to litigation over biometrics handling in US

Camera-based driver-monitoring technology has become increasingly popular with carmakers and transportation companies. But the use of sensitive, personal biometric information that makes it possible is exposing car companies, camera makers and software suppliers to legal risk in the US that could result in hefty damages.

Car companies such as Subaru and camera makers like Omnitracs are facing a growing number of putative class actions alleging they've violated the Illinois Biometric Information and Privacy Act, or BIPA, which requires companies to set out clear data-processing terms, send out proper notifications and obtain written consent.

In recent months, car owners and drivers hired by truck companies have filed several US lawsuits in both federal and state courts targeting carmakers and third-party vendors that provide the driver-monitoring cameras, often equipped with scanning sensors and artificial intelligence-enabled analytical capabilities.

To overcome human errors, the cameras — usually installed on windshields — are designed to detect behavior that could lead to an accident, including fatigue, distraction, or drunkenness.

But while in-vehicle cameras may help make roads safer, the amount of data the devices collect and analyze is also raising privacy concerns, as increasingly more cars are equipped with the devices, and the potential for misuse grows.

State lawmakers are already attempting to regulate data collection by in-vehicle cameras. In California, a bill that would prohibit data collected from in-vehicle cameras from being sold to third parties or used for advertising purposes passed the state Senate last May by a 36-3 vote. The bill, SB 346, is now waiting for a hearing in the Assembly’s Privacy and Consumer Protection Committee.

Consumer rights advocacy groups such as Consumer Reports have endorsed the California proposal and are closely following legislative developments around the country.

The group said the growing use of in-car cameras raises significant privacy concerns and suggested automakers limit the use of data to the purpose of keeping drivers focused on the road, and store data within the vehicle.

Practices of car companies differ, according to a forthcoming report on driver-monitoring technology from Consumer Reports. BMW, Ford and GM don't transmit in-cabin data or video outside the vehicle. Subaru uses facial recognition technology but doesn't record any information. Tesla’s cabin camera can capture video from inside the vehicle and send that footage directly to Tesla for its use if the driver allows, according to the upcoming report.

Looming damages under BIPA

For now, Illinois’ BIPA is the primary law creating serious legal and financial risks for makers of in-vehicle cameras and their software providers.

Passed in 2008, BIPA provides for a private right of action, and penalties under the Illinois law can be steep. Illinois residents can seek $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or actual damages.

In 2019, the Illinois Supreme Court made it easier for plaintiffs to obtain damages under BIPA, ruling that consumers don’t have to prove they’ve been harmed.

Then in December, the Appellate Court of Illinois confirmed in a ruling that BIPA claims accrue with each capture and use of a plaintiff’s biometric identifier or information.

BIPA has become a boon for plaintiffs attorneys, with nearly 2,000 lawsuits filed alleging various violations, the vast majority of them in Illinois state and federal courts. Much of the litigation involves employees suing employers over the collection of their biometric information for timekeeping and payroll purposes.

But tech companies like Amazon, Google, Facebook and TikTok, and their facial and voice recognition practices, have also been a favorite target for class-action plaintiffs.

In 2020, Facebook paid $650 million to settle a BIPA class action over its use of facial recognition technology to help users "tag" uploaded photos of their Facebook friends. Last year TikTok owner ByteDance agreed to pay $92 million and make additional privacy disclosures to settle allegations the video-sharing app collected users’ facial recognition data without permission.

Driver-monitoring cameras targeted

Plaintiffs attorneys are now turning their attention to companies that make driver-monitoring cameras and the technologies that run them, accusing them of a range of BIPA violations related to their collection of biometric information.

Japanese carmaker Subaru was targeted in a November lawsuit over its DriverFocus system, which uses a “near-infrared camera to focus on the driver’s eyes and head position” to mitigate driver distractions.

Chicago car owner Renee Giron alleges that Subaru is violating BIPA by failing to warn drivers the system collects and stores their biometric data, failing to inform drivers of the details of such data processing, and failing to obtain a written consent of its data-processing activities.

According to the complaint, carmakers including Toyota, Lexus, General Motors, BMW and Ford have all implemented similar biometric monitoring technology.

In early January, two independent camera makers were sued over alleged BIPA violations.

Omnitracs, a fleet management solutions provider that used to be owned by Qualcomm, sells a product called Critical Event Video. The company was sued in the Northern District of Illinois by a truck driver who alleges Omnitracs violated BIPA by failing to inform the driver of the details of the data collection or to obtain written consent.

Netradyne faces similar allegations in Illinois state court from a truck driver hired by Bob’s Discount Furniture. The company’s Driveri camera can instantly detect distracted driving and signal an audio alert. In addition to failure to notify and obtain consent as required by BIPA, Netradyne is also accused of failing to put in place privacy terms on its retention and destruction of data.

Lytx, another camera provider, is facing two separate, similar BIPA lawsuits filed in the second half of 2021 in both federal and state courts in Illinois. Lytx claims its product DriveCam is different from other biometrics-based technology, using machine vision and artificial intelligence instead, without capturing scans of facial geometry.

All three camera makers are headquartered in San Diego.

Identity verification creates issues

The driver-monitoring cameras often serve another function: identification, which is also creating legal risk for companies that make facial recognition software used by the devices.

Microsoft is currently facing a BIPA suit in Illinois federal court over the application of its face application programing interface, or API, that’s used in Uber apps to identify drivers.

Mario Peña, a former Uber driver based in Chicago, alleges in a lawsuit filed last May that Uber uses the API to “periodically verify the identity of its drivers by extracting and comparing unique biometric facial geometry templates.” But it does so without the consent of drivers in Illinois, which violates BIPA, according to the complaint.

Microsoft has argued the case should be dismissed because it isn't subject to BIPA because the company is based in Washington and the technology was developed and implemented outside Illinois.

“As Microsoft previously showed, it developed Face API outside of Illinois, the team responsible for it is outside Illinois, and Microsoft negotiated and entered the license agreement with Uber from outside Illinois, with Uber representatives outside of Illinois,” Microsoft said.

Mitek Systems, a provider of mobile and online identity verification, was hit more recently with a BIPA lawsuit in December in Illinois state court over the use of its identity verification technology in car rental app HyreCar.

Illinois resident Joshua Johnson claims to have uploaded an image of his driver’s license and a self-taken photograph of his face to become a verified user of the HyreCar app. HyreCar uses Mitek technology to remotely onboard new users, according to the complaint.

But according to Johnson, Mitek Systems violated BIPA because it didn't obtain proper consent before scanning the digital images of Johnson’s face and creating and storing a template of his facial geometry, which allowed HyreCar to verify Johnson’s identity later.

There’s a chance companies could face similar legal risks in other states in the future. Other state legislatures have tried to enact copycat BIPA legislation. So far, none have succeeded, but that hasn’t stopped some states from trying again this year.