`
`
`
`BURSOR & FISHER, P.A.
`L. Timothy Fisher (State Bar No. 191626)
`1990 North California Boulevard, Suite 940
`Walnut Creek, CA 94596
`Telephone: (925) 300-4455
`Facsimile: (925) 407-2700
`Email: ltfisher@bursor.com
`
`HEDIN HALL LLP
`David W. Hall (State Bar No. 274921)
`Four Embarcadero Center, Suite 1400
`San Francisco, CA 94111
`Telephone: (415) 766-3534
`Facsimile: (415) 402-0058
`Email: dhall@hedinhall.com
`
`Counsel for Plaintiff and the Putative Class
`
`[Additional Counsel on Signature Page]
`
`
`
`
`UNITED STATES DISTRICT COURT
`
`NORTHERN DISTRICT OF CALIFORNIA
`
`
`
`
`Case No.
`
`
`CLASS ACTION COMPLAINT
`
`
`JURY TRIAL DEMANDED
`
`
`
`H.K. and J.C., through their father and legal
`guardian CLINTON FARWELL, individually
`and on behalf of all others similarly situated,
`
`
`
`
`GOOGLE, LLC,
`
`
`
`v.
`
`Plaintiffs,
`
` Defendant.
`
`
`
`
`CLASS ACTION COMPLAINT
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 2 of 32
`
`
`
`On behalf of themselves and all others similarly situated, Plaintiffs H.K. and J.C., minor
`children, by and through their father and legal guardian Clinton Farwell (collectively, “Plaintiffs”),
`bring this Class Action Complaint against Google LLC (“Google”) for violation of Illinois’
`Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq., and violation of California’s
`Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §17200, predicated on violation of the
`federal Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. § 501, et seq., and allege
`as follows based on personal knowledge as to themselves, on the investigation of their counsel and
`the advice and consultation of certain third-party agents as to technical matters, and on information
`and belief as to other matters, and demand trial by jury.
`
`NATURE OF THE ACTION
`1.
`Plaintiffs bring this action for damages and other legal and equitable remedies
`resulting from the illegal actions of Google in collecting, storing, and using their and other
`similarly situated childrens’ biometric identifiers1 and biometric information2 (referred to
`collectively as “biometrics”), as well as numerous other forms of personally identifying
`information, without them requisite consent of their legal guardians – in direct violation of both
`BIPA and COPPA.
`2.
`In 1999, to better protect the privacy of children under the age of 13, the United
`States Congress enacted COPPA in response to a growing concern over the collection of children’s
`data on the Internet. In passing COPPA, Congress specifically sought to increase parental
`involvement in children’s online activities, ensure children’s safety during their participation in
`online activities, and most importantly, protect children’s personal information. Ultimately,
`Congress enacted COPPA with the specific goal of placing parents in control over what
`information is collected from their young children online. To that end, COPPA requires, in
`relevant part, that websites and online services fully and clearly disclose their data collection, use,
`and disclosure practices, and obtain “verifiable parental consent” before collecting, using, or
`
`1
`A “biometric identifier” is any personal feature that is unique to an individual, including
`fingerprints, iris scans, DNA and “face geometry,” among others.
`
`2
`“Biometric information” is any information captured, converted, stored, or shared based on
`a person’s biometric identifier used to identify an individual.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`1
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 3 of 32
`
`
`
`disclosing personal information from children under 13. Further, COPPA requires websites and
`online services to permit parents to review all personal information they collect and maintain from
`children under 13, and to allow parents to refuse further use or maintenance of those data.
`Similarly, websites and online services may not condition a child’s use of a site or service on the
`collection of more personal information than is reasonably necessary, and must take reasonable
`steps to keep confidential and safe any personal information in their possession.
`3. More recently, in 2008, the Illinois Legislature recognized the importance of
`protecting the privacy of individuals’ biometric data, finding that “[b]iometrics are unlike other
`unique identifiers that are used to access finances or other sensitive information.” 740 ILCS
`14/5(c). “For example, social security numbers, when compromised, can be changed. Biometrics,
`however, are biologically unique to the individual; therefore, once compromised, the individual has
`no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-
`facilitated transactions.” Id.
`4.
`In recognition of these concerns over the security of individuals’ biometrics, the
`Illinois Legislature enacted BIPA, which provides, inter alia, that a private entity like Google may
`not obtain and/or possess an individual’s biometrics unless it: (1) informs that person in writing
`that biometric identifiers or information will be collected or stored, see id.; (2) informs that person
`in writing of the specific purpose and length of term for which such biometric identifiers or
`biometric information is being collected, stored, and used, see id.; (3) receives a written release
`from the person for the collection of her biometric identifiers or information, see id.; and (4)
`publishes publicly available written retention schedules and guidelines for permanently destroying
`biometric identifiers and biometric information, 740 ILCS 14/15(a).
`5.
`Incredibly, Google has managed to violate both of these important consumer
`protection statutes (COPPA and BIPA) at the same time, by collecting, storing, and using the
`personally identifying biometric data of millions of school children throughout the country
`(including thousands in Illinois), most of whom are under the age of 13, without seeking, much less
`obtaining the requisite informed written consent from any of their parents or other legal guardians.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`2
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 4 of 32
`
`
`
`6.
`Google has infiltrated the primary and secondary school system in this country by
`providing access to its “ChromeBook” laptops, which come pre-installed with its “G Suite for
`Education” platform (formerly referred to as Google Apps for Education), to over half of the
`nation’s school children, including those in Illinois, most of whom are under the age of 13. When
`these children use Google’s “G Suite for Education” platform on the company’s ChromeBook
`laptops at school, Google creates, collects, stores and uses their “face templates” (or “scans of face
`geometry”) and “voiceprints” – highly sensitive and immutable biometric data – as well as various
`other forms of personally identifying information pertaining to these children, including:
`a.
`their physical locations;
`b.
`the websites they visit;
`c.
`every search term they use in Google’s search engine (and the results they
`click on);
`d.
`the videos they watch on YouTube;
`e.
`personal contact lists;
`f.
`voice recordings;
`g.
`saved passwords; and
`h.
`other behavioral information
`7.
`Each voiceprint and face template that Google extracts from a child and catalogues
`in its vast biometrics database is unique to that child, in the same way that a fingerprint uniquely
`identifies one and only one person. Google supplements this biometric data with other personally
`identifying information pertaining to each child, including the child’s e-mail address and name.
`8.
`Thus, in direct violation of both BIPA and COPPA, Google has collected, stored,
`and used (and continues to collect, store, and use) – without providing notice, obtaining informed
`or verifiable parental consent, or publishing data retention policies – the biometrics and other
`personally identifying information of millions of school children under the age of 13 across the
`country, including tens of thousands of young children in Illinois.
`9.
`Plaintiffs, individually and on behalf of other similarly situated children, by and
`through their father and legal guardian Clinton Farwell, bring this action to stop Google from
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`3
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 5 of 32
`
`
`
`further violating the BIPA-protected privacy rights of children in Illinois and the COPPA-protected
`privacy rights of children under 13 all across the country in connection with their use of the “G
`Suite for Education” platform, and to recover statutory damages for Google’s unauthorized
`collection, storage, and use of Illinois students’ biometric data in violation of BIPA.
`
`PARTIES
`10. Plaintiffs H.K. and J.C., and their father and natural legal guardian, Clinton Farwell
`are, and at all relevant times have been, citizens of the State of Illinois residing in Bushnell,
`Illinois. Plaintiffs H.K. and J.C. were under the age of 13 when they used Google’s “G Suite for
`Education” platform at their elementary school in Bushnell, Illinois, which is within Prairie City
`Community Unit School District #170, and they are still under the age of 13 today. Neither
`Plaintiff H.K. nor Plaintiff J.C. was asked for verifiable or written parental consent authorizing
`Google extraction, collection, storage, and use of their personally and uniquely identifying
`“biometric identifiers” or “biometric information,” nor was Plaintiffs’ father, Clinton Farwell,
`notified of or asked to provide his written authorization to permit Google’s collection, storage, or
`use of such data.
`11. Google, LLC is a Delaware corporation with its headquarters at 1600 Amphitheatre
`Parkway, Mountain View, California 94043. Google is also registered to do business in Illinois
`(No. 65161605).
`
`JURISDICTION AND VENUE
`12. The Court has original subject-matter jurisdiction over this action pursuant to the
`Class Action Fairness Act, 28 U.S.C. § 1332(d) (“CAFA”), because: (i) the proposed BIPA Class
`consists of at least tens of thousands of members; (ii) at least one member of the proposed BIPA
`Class, including both of the Plaintiffs as well as their father, is a citizen of a state different from
`Google; and (iii) the aggregate amount in controversy exceeds $5,000,000.00, exclusive of interests
`and costs. Google has extracted, collected, stored, and used thousands of minor school childrens’
`voiceprints and scans of face geometry in connection with their use of Google’s “G Suite for
`Education” platform on the company’s “ChromeBook” laptops at primary and secondary schools in
`Illinois. The estimated number of children who have been impacted by Google’s conduct in
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`4
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 6 of 32
`
`
`
`Illinois multiplied by the BIPA’s statutory liquidated damages figure ($5,000.00 for each
`intentional or reckless violation and $1,000.00 for each negligent violation) easily exceeds CAFA’s
`$5,000,000.00 threshold. The Court also has supplemental jurisdiction over Plaintiffs’ UCL claim
`for injunctive relief arising from Google’s violations of COPPA pursuant to 28 U.S.C. § 1367.
`13. Personal jurisdiction and venue are proper in California and within this District
`because Defendant maintains its corporate headquarters and principal place of business within this
`District, in Mountain View, California.
`
`I.
`
`FACTUAL BACKGROUND
`Biometric Technology Implicates Consumer Privacy Concerns
`14.
`“Biometrics” refers to unique physical characteristics used to identify an individual.
`One of the most prevalent uses of biometrics is in facial recognition technology, which works by
`scanning a human face or an image thereof, extracting facial feature data based on specific
`“biometric identifiers” (i.e., details about the face’s geometry as determined by facial points and
`contours), and comparing the resulting “face template” (or “faceprint”) against the face templates
`stored in a “face template database.” If a database match is found, an individual can be identified.
`15. The use of facial recognition technology in the commercial context presents
`numerous consumer privacy concerns. During a 2012 hearing before the United States Senate
`Subcommittee on Privacy, Technology, and the Law, a member of the U.S. Senate stated that
`“there is nothing inherently right or wrong with [facial recognition technology, but] if we do not
`stop and carefully consider the way we use [it], it may also be abused in ways that could threaten
`basic aspects of our privacy and civil liberties.”3 Senator Franken noted, for example, that facial
`recognition technology could be “abused to not only identify protesters at political events and
`rallies, but to target them for selective jailing and prosecution.”4
`
`
`3
`What Facial Recognition Technology Means for Privacy and Civil Liberties: Hearing
`Before the Subcomm. on Privacy, Tech. & the Law of the S. Comm. on the Judiciary, 112th Cong. 1
`(2012), available at https://www.eff.org/files/filenode/jenniferlynch_eff-senate-testimony-
`face_recognition.pdf (last visited Feb. 18, 2020).
`
`Id.
`
` 4
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`5
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 7 of 32
`
`
`
`16. The Federal Trade Commission (“FTC”) has raised similar concerns, and recently
`released a “Best Practices” guide for companies using facial recognition technology.5 In the guide,
`the Commission underscores the importance of companies’ obtaining affirmative consent from
`consumers before extracting and collecting their biometric identifiers and biometric information
`from digital photographs.
`
`II.
`
`The Illinois Biometric Information Privacy Act
`17.
`In 2008, Illinois enacted the BIPA due to the “very serious need [for] protections for
`the citizens of Illinois when it [comes to their] biometric information.” Illinois House Transcript,
`2008 Reg. Sess. No. 276. The BIPA makes it unlawful for a company to, inter alia, “collect,
`capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric
`identifiers6 or biometric information, unless it first:
`
`
`(l) informs the subject . . . in writing that a biometric identifier or
`biometric information is being collected or stored;
`
`(2) informs the subject . . . in writing of the specific purpose and
`length of term for which a biometric identifier or biometric
`information is being collected, stored, and used; and
`
`(3) receives a written release executed by the subject of the biometric
`identifier or biometric information or the subject’s legally authorized
`representative.”
`740 ILCS 14/15 (b).
`18. Section 15(a) of the BIPA also provides:
`
`
`
`A private entity in possession of biometric identifiers or biometric
`information must develop a written policy, made available to the
`public, establishing a retention schedule and guidelines for
`permanently destroying biometric
`identifiers and biometric
`information when the initial purpose for collecting or obtaining such
`identifiers or information has been satisfied or within 3 years of the
`individual’s last interaction with the private entity, whichever occurs
`first.
`740 ILCS 14/15(a).
`
`
`5
`Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,
`Federal Trade Commission (Oct. 2012), available at
`http://www.ftc.gov/sites/default/files/documents/reports/facing-facts-best-practices-common-uses-
`facial-recognition-technologies/121022facialtechrpt.pdf (last visited Feb. 18, 2020).
`6
`BIPA’s definition of “biometric identifier” expressly includes information collected about
`the geometry of the face (i.e., facial data obtained through facial recognition technology). See 740
`ILCS 14/10.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`6
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 8 of 32
`
`
`
`19. As alleged below, Google’s practices of collecting, storing, and using biometric
`identifiers and information from school children in Illinois without the requisite informed written
`consent violate all three prongs of § 15(b) of the BIPA. Google’s failure to provide a publicly
`available written policy regarding its schedule and guidelines for the retention and permanent
`destruction of these childrens’ biometrics also violates § 15(a) of the BIPA.
`
`III. The Federal Children’s Online Privacy Protection Act
`20.
`In 1999, recognizing the vulnerability of children in the Internet age, Congress
`enacted the Children’s Online Privacy Protection Act (COPPA). See 15 U.S.C. §§ 6501–6506.
`COPPA’s express goal is to protect children’s privacy while they are connected to the internet.
`Under COPPA, developers of child-focused applications like Google’s “G Suite for Education”
`service cannot lawfully obtain the personally identifiable information of children under 13 years of
`age without first obtaining verifiable consent from their parents.
`21. COPPA applies to any operator of a commercial website or online service
`(including an app) that is directed to children and that: (a) collects, uses, and/or discloses
`personally identifiable information from children, or (b) on whose behalf such information is
`collected or maintained. Under COPPA, personally identifiable information is “collected or
`maintained on behalf of an operator when…[t]he operator benefits by allowing another person to
`collect personally identifiable information directly from users of” an online service. 16 C.F.R. §
`312.2. In addition, COPPA applies to any operator of a commercial website or online service that
`has actual knowledge that it collects, uses, and/or discloses personally identifiable information
`from children.
`22. Under COPPA, “personally identifiable information” includes information like
`names, email addresses, and social security numbers. COPPA’s broad definition of “personally
`identifiable information” is as follows:
`
`
`“individually identifiable information about an individual collected
`online,” which includes (1) a first and last name; (2) a physical
`address including street name and name of a city or town; (3) online
`contact information (separately defined as “an email address or any
`other substantially similar identifier that permits direct contact with a
`person online”); (4) a screen name or user name; (5) telephone
`number; (6) social security number; (7) a media file containing a
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`7
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 9 of 32
`
`
`
`child’s image or voice; (8) geolocation information sufficient to
`identify street name and name of a city or town; (9) a “persistent
`identifier that can be used to recognize a user over time and across
`different Web sites or online services” (including but not limited to
`“a customer number held in a cookie, an Internet Protocol (IP)
`address, a processor or device serial number, or unique device
`identifier”); and (10) any information concerning the child or the
`child’s parents that the operator collects then combines with an
`identifier.
`23. The FTC regards “persistent identifiers” as “personally identifiable” information
`that can be reasonably linked to a particular child. The FTC amended COPPA’s definition of
`“personally identifiable information” to clarify the inclusion of persistent identifiers.7
`24.
`In order to lawfully collect, use, or disclose personally identifiable information,
`COPPA requires that an operator meet specific requirements, including each of the following:
`a.
`Posting a privacy policy on its website or online service providing clear,
`understandable, and complete notice of its information practices, including
`what information the website operator collects from children online, how it
`uses such information, its disclosure practices for such information, and
`other specific disclosures as set forth in the Rule;
`Providing clear, understandable, and complete notice of its information
`practices, including specific disclosures, directly to parents; and
`Obtaining verifiable parental consent prior to collecting, using, and/or
`disclosing personally identifiable information from children.
`25. Under COPPA, “[o]btaining verifiable consent means making any reasonable effort
`(taking into consideration available technology) to ensure that before personally identifiable
`information is collected from a child, a parent of the child. . . [r]eceives notice of the operator’s
`personally identifiable information collection, use, and disclosure practices; and [a]uthorizes any
`collection, use, and/or disclosure of the personally identifiable information.” 16 C.F.R. § 312.2.
`
`
`b.
`
`c.
`
`
`See https://www.ftc.gov/news-events/blogs/business-blog/2016/04/keeping-
`7
`onlineadvertising-industry (2016 FTC Blog post from Director of the FTC Bureau of Consumer
`Protection) (last visited November 22, 2019).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`8
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 10 of 32
`
`
`
`c.
`d.
`e.
`
`26. The FTC recently clarified acceptable methods for obtaining verifiable parental
`consent, which include:
`a.
`providing a consent form for parents to sign and return;
`b.
`requiring the use of a credit card/online payment that provides notification of
`each transaction;
`connecting to trained personnel via video conference;
`calling a staffed toll-free number;
`emailing the parent soliciting a response email plus requesting follow-up
`information from the parent;
`asking knowledge-based questions; or
`verifying a photo ID from the parent compared to a second photo using
`facial recognition technology.8
`27. As alleged below, Google’s practices of collecting, storing and using biometric
`identifiers, biometric information, and other personally identifying information from school
`children under 13, without the requisite verifiable parental consent, are in clear violation of
`COPPA.
`
`f.
`g.
`
`IV. Google Violates Both the Illinois BIPA and the Federal COPPA
`28.
`In 2011, Google’s then-CEO Eric Schmidt discussed the company’s past
`development of facial recognition technology, and explained that he had put the brakes on the
`program due to the profound implications he believed the technology would have on individuals’
`privacy rights. Characterizing facial recognition technology as “crossing the creepy line,” Mr.
`Schmidt said at the time “that [Google] would not build a database capable of recognizing
`individual faces even though it is increasingly possible.” Matt Warman, Google Warns Against
`Facial Recognition Database, THE TELEGRAPH, May 18, 2011, available at
`http://www.telegraph.co.uk/technology/google/8522574/Google-warns-against-facial-recognition-
`
`
`8 See https://www.ftc.gov/tipsadvice/business-center/guidance/childrens-online-privacy-protection-
`rule-six-step-compliance (last visited November 22, 2019).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`9
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 11 of 32
`
`
`
`technology.html. Nonetheless, Mr. Schmidt predicted that “some company by the way is going to
`cross that line.” Id.
`29.
`In 2013, Mr. Schmidt wrote a piece for The Wall Street Journal, titled “The Dark
`Side of the Digital Revolution,” in which he again cautioned against the collection of Americans’
`biometric data and advocated in favor of regulating the collection and use of such data in this
`country, writing in pertinent part:
`
`
`Today’s facial-recognition systems use a camera to zoom in on an
`individual’s eyes, mouth and nose, and extract a “feature vector,” a
`set of numbers that describes key aspects of the image, such as the
`precise distance between the eyes. (Remember, in the end, digital
`images are just numbers.) Those numbers can be fed back into a
`large database of faces in search of a match. The accuracy of this
`software is limited today (by, among other things, pictures shot in
`profile), but the progress in this field is remarkable. A team at
`Carnegie Mellon demonstrated in a 2011 study that the combination
`of “off-the-shelf” facial recognition software and publicly available
`online data (such as social network profiles) can match a large
`number of faces very quickly. With cloud computing, it takes just
`seconds to compare millions of faces. The accuracy improves with
`people who have many pictures of themselves available online—
`which, in the age of Facebook, is practically everyone.
`
`By indexing our biometric signatures, some governments will try to
`track our every move and word, both physically and digitally. That’s
`why we need to fight hard not just for our own privacy and security,
`but also for those who are not equipped to do so themselves. We can
`regulate biometric data at home in democratic countries, which helps.
`Eric Schmidt, The Dark Side of the Digital Revolution, THE WALL STREET JOURNAL, Apr. 19, 2013,
`available at https://www.wsj.com/articles/SB100014241278873240307 04578424650479285218.
`30.
`Ironically, the company that Google’s CEO predicted in 2011 would one day “cross
`that line” by diving into the consumer biometrics-collection business turned out to be none other
`than Google itself.
`31.
`In May 2015, Google announced the release of its web- and mobile app-based photo
`sharing and storage service called Google Photos. Users of Google Photos immediately began
`uploading millions of photos per day through the service, and Google in turn began using its
`“FaceNet”-powered facial recognition technology to extract, collect, store, and catalog the
`biometric data of everyone whose faces appeared in all of those uploaded photographs, in real
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`10
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 12 of 32
`
`
`
`time.9 Google has sold licenses to its Google Photos APIs, including APIs that enable the use of its
`facial recognition technology, to various mobile application developers, and derives substantial
`commercial profit from such sales. Thus, less than four years after warning of the immense
`dangers posed by facial recognition technology, Google began using that very technology to collect
`the immutable biometric data of hundreds of millions of its users worldwide.
`32. But Google’s pursuit of the world’s biometric data didn’t end there. Most recently,
`Google has unleashed its immensely powerful biometrics-collection technology on primary and
`secondary school children throughout the country, including across the state of Illinois.
`33. Specifically, Google provides its “ChromeBook” laptops to grade schools,
`elementary schools, and high schools nationwide, who in turn make these computing devices
`available for use by children who attend their schools. The ChromeBooks that Google provides to
`schools come equipped with Google’s “G Suite for Education” platform, a cloud-based service
`used by young students under the age of 13 all across the country, including the state of Illinois.
`34. To drive adoption in more schools – and to alleviate legitimate concerns about its
`history of privacy abuses – Google publicly assured parents, students, and educators alike that the
`company takes student privacy seriously and that it only collects education-related data from
`students using its “G Suite for Education” platform. Google also publicly promised never to mine
`student data for its own commercial purposes. In particular, Google has stated that it recognizes
`that “trust is earned through protecting teacher and student privacy” and has made a number of
`public promises designed to convince parents, teachers, school districts, and students that it will
`protect the privacy of students who use the “G Suite for Education” platform.10
`35. To reaffirm the commitments it has made over the years to safeguard and protect
`student privacy, including to school districts, Google signed the K-12 School Service Provider
`
`
`9
`A research paper released by Google engineers at around the same time as the release of
`Google Photos describes FaceNet as “a unified system for face verification (is this the same
`person), recognition (who is this person) and clustering (find common people among these faces).”
`Schroff, Florian, et al., “FaceNet: A Unified Embedding for Face Recognition and Clustering,”
`June 7, 2015, available at https://ieeexplore.ieee.org/document/7298682.
`
`10
`Privacy and Security, Google LLC, http://services.google.com/th/files/misc/gsuite for_
`education_ privacy_s ecurity.pdf (last visited March 26, 2020).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`11
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 13 of 32
`
`
`
`b.
`
`c.
`
`d.
`
`Pledge to Safeguard Student Privacy (the “Student Privacy Pledge”) in or around January 2015.
`The Student Privacy Pledge is a set of principles and promises developed by the Future of Privacy
`Forum and The Software & Information Industry Association regarding the collection, use, and
`maintenance of student data.11 Though not an original signatory, and hesitant to sign on (only
`succumbing after public outrage), Googled eventually signed the Student Privacy Pledge12 and
`affirmatively and expressly committed to:
`a.
`Not collect, maintain, use or share student personal information beyond that
`needed for authorized educational/school purposes, or as authorized by the
`parent/student;
`Not use or disclose student information collected through an
`educational/school service (whether personal information or otherwise) for
`behavioral targeting of advertisements to students;
`Not build a personal profile of a student other than for supporting authorized
`educational/school purposes or as authorized by the parent/student;
`Not knowingly retain student personal information beyond the time period
`required to support the authorized educational/school purposes, or as
`authorized by the parent/student;
`Collect, use, share, and retain student personal information only for purposes
`for which Google was authorized by the educational institution/agency,
`teacher, or the parent/student; and
`Disclose clearly in contracts or privacy policies, including in a manner easy
`for parents to understand, what types of student personal information Google
`collects, if any, and the purposes for which the information Google
`maintains is used or shared with third parties.
`
`11
`Student Privacy Pledge Signatories, Future of Privacy Forum and The Software &
`Information Industry Association, https://studentprivacypledge.org/signatories/ (last visited March
`26, 2020).
`
`12
`Google Changes Course, Signs Student Data Privacy Pledge, Wall Street Journal,
`https://blogs. wsj
`.com/digits/2015/01
`/20/
`google-changes-course-signs-student-data-pri
`vacypledge/ (last visited March 26, 2020).
`
`e.
`
`f.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`12
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`Case 5:20-cv-02257-NC Document 1 Filed 04/02/20 Page 14 of 32
`
`
`
`36.
` Although Google publicly promoted its decision to sign the Student Privacy Pledge,
`and received positive coverage in the press for having done so, Google quickly began breaking the
`commitments it had made in the Pledge.
`37. Specifically, since signing the Student Privacy Pledge, Google has implemented
`features