Another Conflict Between Privacy Laws and Age Authentication–Murphy v. Confirm ID
This opinion is a routine ruling over TOS formation and whether disputes must go to arbitration. However, before I dig into that question, I need to note the case’s chilling implications.
* * *
This case involves the Adult Friend Finder service (AFF), which age-authenticates its users. To do so, AFF required users to upload government ID and a selfie as part of the account formation process. AFF uses an affiliated vendor, Confirm ID, to face-scan the selfie for the age authentication. The plaintiffs allege that Confirm ID violates the Illinois Biometric Information Privacy Act (“BIPA”).
In other words….plaintiffs are once again arguing that deploying biometric-based age authentication violates privacy law. (I previously blogged on this issue in 2023. See Kuklinski v. Binance). This argument implicitly clashes with how governments around the globe are pressuring, or compelling, Internet services to age-authenticate their users, with the expectation that face scans often will be the cheapest authentication option with a reasonable degree of accuracy. (Note: some laws, like Australia, ban authenticators from using government IDs for authentication purposes, leaving few remaining viable options other than face scans). Thus, lawsuits like this expose the damned-if-you-do, damned-if-you-don’t dilemma facing Internet services who are compelled to do age authentication. If they comply with those laws, will they get hammered for privacy violations?
A reminder: any time a regulator pushes for mandatory age authentication, ask them to explain in detail EXACTLY how they think it will be accomplished in a privacy-sensitive way. (Don’t accept generalities or assumptions). When they can’t answer that question, it’s proof they have don’t have a clue about the consequences of their policies.
* * *
OK, onto the less-interesting TOS formation/arbitration question.
First, there’s a question about whether Confirm ID is covered by the TOS. Confirm ID is owned by Various, which also owns AFF. Various is itself an affiliate of the FriendFinder Network.
The AFF TOS refers to Various and its “affiliates,” which indistinctly includes Confirm ID. The court says that the plaintiffs’ allegations treat AFF as the data controller and Confirm ID as the data processor, and that’s sufficient to acknowledge the affiliate relationship. (This seemed odd to me: controllers/processors are often independent contractors, so I don’t see how those references relate to affiliate status). Also, in the privacy policy, Confirm ID was listed as a subsidiary of FriendFinder Network, and that was enough to tell plaintiffs how to connect the dots. Confirm ID can claim the arbitration clause.
Second, the court turns to the TOS formation question. Here are the desktop and mobile versions of the TOS formation screens:
__
The court wisely sidesteps the “wrap” terminology entirely. If it had used those terms, both of these appear to be “sign-in-wraps.”
Instead, the court then compares this to the formation process at issue in the Berman case. On the minus side, the court notes that the call-to-actions are in smaller gray font. On the plus side, the links are presented in blue, which the court thinks contrasts enough with the gray, and the links display underlining when moused over (Confirm ID submitted a video showing this–good evidence to have). The court also notes that in the mobile screenshot, the links aren’t italicized even though they are placed amongst italicized text. (I’m not sure italicized text should ever be used in calls-to-action, but this case doesn’t address that broader proposition). Also, “the text has not been placed in between larger, attention-grabbing buttons that prompt the user to take action.” (Instead, it’s been placed below the action button, with all of the risks that entails).
The court summarizes:
the TOU and Privacy Policy on the sign-up screen for the AFF membership provides “reasonably conspicuous notice” because the notice is in such a font size and format that “a reasonably prudent Internet user would have seen it” and the hyperlinks are readily apparent.
The court sends the case to arbitration. Good news for AFF/Confirm ID, but they could have easily done much better with these implementations, even without adopting a two-click process.
Case Citation: Murphy v. Confirm ID, Inc., 2025 WL 603598 (E.D. Cal. Feb. 25, 2025).
Selected BIPA Blog Posts
- Augmented Reality Filters May Violate Privacy Law–Hartman v. Meta
- AWS Can’t Shake BIPA Lawsuit for Providing Services to NBA 2K–Mayhall v. Amazon
- Facebook Defeats BIPA Face-Scanning Lawsuit–Zellmer v. Meta
- Will Biometric Privacy Laws Undermine the Fight Against CSAM?–Martell v. X
- Do Mandatory Age Verification Laws Conflict with Biometric Privacy Laws?–Kuklinski v. Binance
- Illinois Supreme Court Authorizes Biometric Lawsuits Without Any Allegation of Harm–Rosenbach v. Six Flags
- Google Photos Defeats Privacy Lawsuit Over Face Scans–Rivera v. Google
- Illinois Users’ Face-Scanning Privacy Lawsuit Against Facebook Headed to Trial
- Face Scanning Lawsuit Against Shutterfly Survives Motion to Dismiss
- Facebook Gets Bad Ruling In Face-Scanning Privacy Case–In re Facebook Biometric Information Privacy Litigation
- Shutterfly Can’t Shake Face-Scanning Privacy Lawsuit