A former health worker is suing identity verification service ID.me for violating her privacy under Illinois’ Biometric Information Privacy Act (BIPA). Latisha Skinner is suing ID.me instead of her former employer, Ann & Robert H. Lurie Children’s Hospital.
According to the complaint, in January 2020, her employer required her to use ID.me, which requires a voice or face print for verification. Skinner uploaded a selfie to be used as a face print.
At the time, ID.me’s policies said that data is deleted 7.5 years after the account is closed. However, the Biometric Information Privacy Act requires deletion of biometric information within three years.
Since then, ID.me has revised its data retention policies, and now claims it deletes the data after three years unless the government intervenes. In light of the revised policies, ID.me said that Skinner’s lawsuit has no merit.
In previous similar cases, plaintiffs usually target the business using the biometric verification systems, not the companies providing them. That said, ID.me has been the subject of controversy severally, most notably when it was speculated that it would be used as a third-party ID verification provider by the IRS.
The Senate has called on the Federal Trade Commission to investigate the company on suspicion that it misled the government about its service.