In a lawsuit filed last week in the U.S. District Court for the Southern District of New York, a lawyer for an 18-year-old New Yorker alleges he was misidentified in a string of Apple store thefts. The suit alleges, among other things, that Apple uses facial recognition technology in its stores.

That practice, while denied by Apple, isn't widely regulated in the U.S. Still, the few state-level biometrics laws that do exist, especially Illinois, should be monitored closely by businesses because of the risks they could pose.

In Bah v. Apple and Security Industry Specialists, Ousmane Bah claims the ordeal of being accused and arrested for theft constituted negligence, emotional distress, slander and other claims brought against Apple Inc. Bah is seeking $1 billion in damages.

According to the suit, a New York City Police Department detective said he viewed surveillance video from a Manhattan Apple store Bah was accused of stealing from, and the suspect and Bah didn't look alike. He also explained Apple's security technology identifies theft suspects using facial recognition technology,

A request for comment from Apple regarding its use of facial recognition technology in its retail stores was not answered by press time but, according to The Verge, the retailer has said it doesn't use facial recognition technology in its stores.

To be sure, facial recognition in stores is a growing trend, according to a 2017 CNBC article.

This may be in part because retailers considering using facial recognition software in U.S. stores won't find many regulations governing the technology. Indeed, outside of Washington state, Texas and Illinois, no other state currently has a law governing facial recognition software. Likewise, there's no federal regulation concerning biometrics, although the U.S. Senate introduced the Commercial Facial Recognition Privacy Act of 2019 in March.

But of the three state biometric laws, Illinois' Biometric Information Privacy Act law differs the most significantly by allowing a private cause of action for violation of the law. Such private actions, which are available to Illinois residents and can be rolled into a class action suit, makes facial recognition a greater danger in Illinois, lawyers said.

“Because Illinois is still the only state to have a private right of action and the consequence is $1,000 for negligence or $5,000 for intentional or reckless violations or actual damage … there's a great risk to using that technology in a state like Illinois,” said Mary Smigielski, a Lewis Brisbois Bisgaard & Smith partner and co-chair of the firm's Illinois Biometric Information Privacy Act practice group.

“You only need a technical violation,” Smigielski added. “You don't need to have a data breach or have the information stolen, just the mere fact that you proceeded without having consent is violation.”

Indeed, the Illinois Supreme Court held earlier this year that violation of the law, which requires written consent and notification to collect and use an individual's biometric information, can have a right of action and actual damage isn't required to be aggrieved. Some lawyers predicted the case could open the floodgates for biometric class action suits in Illinois.

If a retailer does use facial recognition technology in Illinois, the company must have written consent from customers and a readily available public policy explaining what the retailer is collecting, why it is collecting, consent to share it and “can't otherwise profit from it,” said Justin Kay, a Chicago-based Drinker Biddle & Reath partner.

While most states do not have any biometrics laws, some argue that following the guidelines of the few that do is just good business.

 Jeffrey Neuburger, a New York-based Proskauer Rose partner, said although New York state doesn't have a biometric law, he would recommend a business provide public notice of facial recognition technology being used in its store. 

“I think it takes away some of the creepiness factor if people ultimately find out they are using facial recognition,” he said.