Social media company Snap reached a $35 million settlement in principle earlier this month to resolve an Illinois class-action lawsuit alleging violations of the state’s Biometric Information Privacy Act (BIPA) through the collection of “facial biometric identifiers” without users’ consent.

According to the class-action complaint, violations of the BIPA arose with Snapchat’s “Lenses” feature, which allows users to add special effects to photos and works by “scanning the geometry of a person’s face.”

The BIPA, passed in 2008, defines biometric identifier as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

The law prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining an Illinois resident’s biometric information unless it:

  • Informs that person in writing identifiers and information will be collected and/or stored;
  • Informs the person in writing of the specific purpose and length for which the identifiers or information is being collected, stored, or used;
  • Receives a written release from the person for the collection of that data; and
  • Publishes publicly available written retention schedules and guidelines for permanently destroying said data.

The law calls for fines of up to $5,000 per person for intentional violations and $1,000 per for being found negligent.

Snap reached settlement without admitting liability or wrongdoing.

As part of the agreement, Snap must implement an in-application notice to Illinois users about how faces, hands, and/or voices might be used to make features such as Lenses and voice commands work.

“Should BIPA be amended in any fashion, Snap will ensure compliance with any applicable amendments,” the settlement stated.

Snap response: A Snap spokesperson said the company implemented the in-app consent notice earlier this year before the settlement was announced, noting the company “continues to vehemently deny that Lenses violate BIPA, which was designed to require notice and consent before collecting biometric information used to identify people.”

“We deeply value the privacy of our community, and Snapchat Lenses do not collect biometric data that can be used to identify a specific person or engage in facial identification,” the spokesperson said. “For example, Lenses can be used to identify an eye or a nose as being part of a face but cannot identify an eye or a nose as belonging to any specific person. Moreover, even the limited data that is used to power Lenses is never sent to Snap’s servers—the data never leaves the user’s mobile device.

Related case: In 2021, Facebook agreed to pay $650 million to resolve a similar class-action lawsuit alleging violations of the BIPA over photo tagging suggestions it implemented in 2010. The settlement amount was $100 million higher than what the company originally proposed.