Lawsuit Alleges App Illegally Took Users’ Biometric Data

A group in Illinois has filed a class action lawsuit against California-based Prisma Labs, the company behind the artificial intelligence-powered photo editing app,

As reported by Artnet, Chicago-based law firm Loevy & Loevy has filed a class action lawsuit against Prisma Labs, alleging that the company “unlawfully” collected Illinois residents’ biometric data using Lensa’s “Magic Avatars” feature.

The suit alleges that Prisma “violated the Illinois Biometric Information and Privacy Act (BIPA) by collecting users’ facial geometry without their permission, using it to train/develop Prisma’s artificial intelligence (AI) neural networks, and illegally storing the data.”

When using Lensa’s Magic Avatars feature, users must provide the app access to “every photo on their device” and upload at least ten selfies. Loevy & Loevy alleges that Prisma extracts facial biometrics from each uploaded selfie to train its neural networks and “make more profitable AI.”

The class action lawsuit doesn’t stop there. It also alleges that the open-source AI model, Stable Diffusion, is trained on 2.3 billion captioned images extracted from the internet, some of which are copyrighted works of art.

Further, the lawsuit complains that despite Lensa’s Terms of Use, which mandate a “no nudes” policy, the app nonetheless generates nude images from source photos containing only headshots or fully-clothed individuals.

When Lensa was its peak popularity last December, PetaPixel reported that users were complaining about Lensa’s AI selfie generator sexualizing their photos. Many users also condemned the app for anglicizing people and making people appear slimmer. Some users have noted that men don’t appear subject to the same level of sexualization when using Lensa.

While apps like Lensa have dramatically dipped in popularity so far this year, users have already spent millions of dollars on in-app purchases.

Lensa’s terms of use allow Prisma to use uploaded images as it sees fit, including for reproduction, modification, and distribution, all without compensating users.

In PetaPixel’s report on Lensa’s questionable terms of use, a quote from ESET cybersecurity expert Jake Moore warned users that, “similar to apps in the past that have requested lots of permissions and access to function, people need to be very aware of what they are allowing these apps to do and even own.” Moore continued, “By using Lensa you will be granting permission to own the generated photo which will be placed in a database along with potentially other identifiable information.”

Users can email Lensa to have their personal data deleted. However, it’s clear that some users don’t fully understand how their data is used and what they agree to when they begin using an app. When an app like Lensa goes viral, users can be in such an excited rush to participate in a trend that they don’t fully appreciate the risks involved.

Arguably, what’s included in terms of use documentation doesn’t always jive with legal requirements, nor does a user agreement provide carte blanche to a company to do anything it wants.

“Lensa continues to be one of the most downloaded apps in the country, which is why this lawsuit—and Prisma Labs’ compliance with BIPA—is so urgently needed,” says Mike Kanovitz, a partner at the civil rights law firm Loevy & Loevy Attorneys at Law. “Prisma Labs has been unlawfully collecting users’ biometric data without their consent. This is in violation of Illinois law, and deeply concerning for anyone who believes in data privacy.”

Tom Hanson, another representing attorney at Loevy & Loevy, says “The plaintiffs in this lawsuit, and millions of others like them, unwittingly provided their facial biometrics to Prisma Labs when they downloaded the Lensa app. A person’s facial geometry is like their fingerprint: it is an immutable, unique identifier that deserves the highest degree of protection the law can afford.”

In addition to Kanovitz and Hanson, attorneys Jon Loevy and Jordan Poole are also part of the lawsuit. Loevy & Loevy won the first BIPA case to ever go to trial last October and were awarded a verdict of $228 million in the case of Richard Rogers, et al. v. BNSF Railway Compan (case #19 C 3083). The law firm’s new case, Jack Flora, Eric Matson, Nathan Stoner, Courtney Owens, and D.J., v. Prisma Labs, Inc., was filed in U.S. Federal Court, Northern District of California. The case number is 5:23-cv-00680. A .pdf of the entire lawsuit is available from Loevy & Loevy. The lawsuit complains for damages and relief and demands a jury trial.

Regardless of what happens with the new lawsuit, people should always be careful what access they provide to the apps they use. Even if an app is popular and fun, it’s important to be aware of the risks that are assumed when uploading images, how those images might be used, and how much control over private data is retained.