A potential class action suit alleging that Subaru’s driver monitoring system captures and transmits biometric data in violation of Illinois law has been allowed to proceed to trial in federal court.

U.S. District Judge Jorge L. Alonso earlier this month denied a motion by Subaru of America (SOA) for arbitration in the case, finding that it was not entitled to enforce the arbitration provision in the financing agreement between the plaintiff and the dealership where she bought the car. The dealership is not a party to the lawsuit.

The order allows the case, brought against SOA by Cook County resident Renee Giron, to proceed to trial. A status conference has been set for Dec. 8.

In her complaint, originally filed in the Chancery Division of the Circuit Court of Cook County, Giron alleges that the infrared camera-based driver monitoring system (DMS) used in her 2020 Subaru Outback violates the Illinois Biometric Privacy Information Act (BIPA) by scanning drivers’ faces and eyes, and collecting and transmitting that information without first securing written permission from the drivers.

The suit alleges that Subaru also fails to supply written notices about why the data is being collected and how it will be used, stored, shared and ultimately destroyed, as required under BIPA.

In its response, SOA “expressly denies that it collected, utilized, captured, possessed, purchased, received, or otherwise obtained the biometric identifiers or biometric information of Plaintiff or anyone else.” It denies that the information used by the DMS constitutes a “biometric identifier” or “biometric information” as defined by BIPA.

The plaintiff is seeking class status for owners of Subarus equipped with the DriverFocus distraction mitigation system, including the 2019-2022 Forester Touring; the 2020-2022 Outback Limited, Touring, Touring XT, and Limited XT; and the 2020-2022 Legacy Limited, Limited XT, and Touring XT models.

The complaint contends that the features of the DMS include a facial recognition system, which “collects and stores data regarding the driver’s facial features” to automatically recognize up to five registered drivers.

It claims that the DMS uses this feature to automatically adjust features, such as the position of the seat and mirrors, and climate control settings, to suit the driver’s preferences.

“Both the distraction mitigation and driver recognition features of the DMS scan and utilize the driver’s biometric identifiers and/or biometric information — particularly, the person’s retina/iris and face geometry — to recognize drivers and determine if the driver is either facing forward and focused on the road, or ‘distracted and drowsy,'” the complaint states.

It claims that Subaru stores this biometric information “on the same onboard computer Subaru routinely accesses” through its Starlink telematics system. Other data accessed by Subaru includes “mechanical conditions or incidents involving the vehicle, such as crash severity sensor data; vehicle time, speed and location; vehicle-occupants’ search content; data relating to phone calls made through the system; and vehicle performance data, such that is automatically retrieved, recorded, and transmitted to Subaru.”

While drivers have the option of deactivating the DMS, “doing so deprives them of the crucial safety benefits the DMS provides,” the suit says. “Subaru’s policies thus leave drivers between a rock and a hard place: forego standard safety features, or entrust their highly-sensitive biometric data to Subaru despite its failure to comply with BIPA.”

Interestingly, this is similar to the argument made by the Alliance for Automotive Innovation (AAI), after SOA directed that StarLink be deactivated in vehicles sold in Massachusetts in response to that state’s vehicle data access law.

In that case, AAI argued that deactivation of telematics on Subaru vehicles represented avoidance of the law, rather than compliance. AAI has asked a federal court to nullify the Massachusetts law, arguing that it conflicts with federal emissions and safety law, and would introduce significant cybersecurity threats.

At one point, AAI had argued that voters would be unpleasantly surprised to learn that the law they had approved would result in disabling telematics, depriving them of certain safety and convenience functions.

A decision in that case is unlikely before mid-December.

The Illinois law prohibits any entity that possesses biometric information from “selling, leasing, or otherwise profiting from an individual’s biometric identifiers or information, or disclosing, redisclosing, or otherwise disseminating the individual’s biometric identifiers and biometric information unless the individual consents to the disclosure or dissemination.”

Subaru, in its response, has challenged the accuracy of the plaintiff’s description of its DMS functionality. It has also denied that the information used by the DMS in her vehicle constitutes a “biometric identifier” or “biometric information” as defined by BIPA, or that “information from DMS” is accessed or transmitted by the Starlink system.

The suit seeks unspecified financial damages for the plaintiff and the class, and asks the court to grant appropriate injunctive relief, including an order barring SOA from “capturing, collecting, using, storing, disclosing, or disseminating” biometric information without permission.

BIPA allows plaintiffs to demand companies pay as much as $5,000 per violation. If the law is interpreted to define an individual violation as each time a person’s biometric data is scanned, Subaru could potentially be facing a significant penalty.

Images

The Everett McKinley Dirksen United States Courthouse in Chicago, Illinois. (Provided by the U.S. District Court for the Northern District of Illinois)