Bloomberg Law
Oct. 18, 2022, 7:07 PM

Microsoft, Amazon Avoid Illinois BIPA Suits Over Photo Uploads

Christopher Brown
Christopher Brown
Staff Correspondent

Microsoft Corp. and Inc. won’t have to face separate class actions alleging they violated the Illinois Biometric Information Privacy Act when they made use of a biometric-information data set produced by IBM Corp. from photos uploaded by users to a photo-sharing website.

Judge James L. Robart of the US District Court for the Western District of Washington granted summary judgment to the tech giants in nearly identical lawsuits alleging they violated the BIPA by obtaining theinformation from the data set without users’ written consent.

Steven Vance and Tim Janecyk, the named plaintiffs in each lawsuit, failed to show that Microsoft’s allegedly illegal conduct occurred “primarily and substantially” in Illinois, a necessary element for liability under the BIPA, Robart said in granting summary judgment for Microsoft.

Robart’s order and opinion in the lawsuit against Amazon was filed under seal pending discussions with counsel as to possible redactions.

The plaintiffs also failed to provide evidence that Microsoft profited from access to their biometric information, which the company claimed it didn’t use and couldn’t have profited from, Robart said in dismissing their common-law claim of unjust enrichment.

The lawsuits arose from Microsoft’s and Amazon’s attempts to improve their the ability of their facial-recognition products to identify the faces of women and people with darker skin.

Each company investigated using a biometric data set developed by IBM to improve the diversity of faces included in facial-recognition systems. That data set—known as the Diversity in Faces Dataset— was in turn developed from a database of 100 million photos that had been uploaded by users, including Vance and Janecyk, to Flickr, the lawsuits said.

Microsoft’s conduct involved a vendor and a student intern who downloaded, reviewed, and evaluated the DiF Dataset to determine whether it would be suitable for their facial-recognition projects, Roberts said. Neither made use of the data set, according to Microsoft.

On the issue of whether Microsoft’s conduct occurred in or was connected to the state of Illinois, Robart said the most the plaintiffs could point to was the possibility that the company had stored encrypted copies of the DiF Dataset on a cloud server in the state.

But the BIPA targeted the acquisition of biometric data, not the encrypted storage of data after it has been acquired, he said. Microsoft had no part in the acquisition of the photographs or the generation of the biometric data at issue in the lawsuit, and its storage of the data in Illinois wouldn’t violate the statute, he said.

Lynch Carpenter LLP and Drury Legal LLC represented Vance and the proposed classes. Morgan Lewis & Bockius LLP, Davis Wright Tremaine LLP, and Duane Morris LLP represented Microsoft and Amazon.

The cases are Vance v. Microsoft Corp., W.D. Wash., No. 2:20-cv-01082, 10/17/22 and Vance v. Inc., W.D. Wash., No. 2:20-cv-01084, 10/17/22.

To contact the reporter on this story: Christopher Brown in St. Louis at

To contact the editors responsible for this story: Rob Tricchinelli at; Maya Earls at