In Flora v. Prisma Labs, the plaintiffs allege Prisma failed to meet all of the Illinois Biometric Privacy Act (BIPA)’s procedural requirements before collecting Lensa users’ selfies, pulling their facial geometry information from those images, and training the model on those geometries to output personalized avatars. First, they allege Prisma violated section 15(a), requiring Prisma to develop a written policy establishing a schedule to destroy biometric data after a certain time; they allege Prisma violated section 15(b) for collecting user’s biometric data without first notifying the user in writing of the purpose and length of collect and receiving a written release form; they also allege violations of sections 15(c) by profiting off of biometric data collected to improve Lensa, 15(d) by transferring users’ biometric data to third-party cloud servers without disclosing this and receiving user consent, and 15(e) for failing to store user’s biometric data in a way that meets the industry standard of care. Importantly, the Flora plaintiffs rely heavily on the version of Prisma’s Privacy Policy that was in place when they downloaded the app in early December 2022. According to them, the wording of that policy was vague with the terms it used to describe the facial information Lensa collects, never using the terms “facial geometry” or “biometric” despite using the term “face data” in a separate part of the Policy (after claiming the company does not collect such data).
The Flora plaintiffs also suggest that Prisma’s Privacy Policy states the company deletes users’ biometric data (gleaned from their uploaded selfies) within 24 hours of creating the avatars. But this claim by Prisma is spurious, as the ML community is still trying to understand the extent to which models memorize training data in ways that make it impossible to delete or remove that data from the ultimate models.