Corporate Misconduct Accountability Project
Getaround, Inc. · Class Action Lawsuit
Getaround Sued for Allegedly Collecting Face Scans Without Consent
Illinois resident claims the car rental platform violated state biometric privacy law by collecting facial geometry data during account signup without proper disclosure or written consent, exposing thousands to irreversible privacy risks.
HIGH SEVERITY
TL;DR
Cory Anderson filed a class action lawsuit against Getaround alleging the car rental platform illegally collected facial geometry scans from Illinois users during identity verification without informing them in writing, obtaining written consent, or maintaining a public data retention policy as required by Illinois biometric privacy law. The lawsuit claims Getaround also failed to destroy the biometric data after verification was complete and disclosed it to third parties without authorization. Facial geometry scans are permanent and cannot be changed if stolen, leaving potentially thousands of users vulnerable to identity theft.
If you created a Getaround account in Illinois in the past five years, your facial data may have been collected without your knowledge or consent.
$5,000
Maximum statutory damages per intentional BIPA violation
$1,000
Statutory damages per negligent BIPA violation
1,000+
Estimated Illinois residents affected by alleged violations
5 years
Period during which alleged violations occurred
The Allegations: A Breakdown
Core Allegations
What Getaround allegedly did · 7 points
| 01 | Getaround prompted Illinois users to upload selfie videos during account creation, scanning their facial geometry without ever informing them in writing that biometric information was being collected or stored. | high |
| 02 | The platform never disclosed the specific purpose or length of time it would store the facial geometry data, making no mention of biometric information collection at any point in the signup process. | high |
| 03 | Getaround collected and stored facial geometry scans without obtaining any written release or consent from users authorizing this collection. | high |
| 04 | The company had no written policy available to the public establishing a retention schedule or guidelines for permanently destroying biometric data. | high |
| 05 | Getaround failed to permanently destroy users’ facial geometry after the identity verification purpose was satisfied, continuing to retain this irreplaceable biometric data indefinitely. | high |
| 06 | The company disclosed or disseminated users’ biometric information to service providers, contractors, business partners, and collection agencies without user consent and without legal authorization. | high |
| 07 | These data collection practices were not unique to the plaintiff but part of Getaround’s standard policy applied to all users, potentially affecting over 1,000 Illinois residents. | medium |
Regulatory Failures
How the system allowed this to happen · 6 points
| 01 | Illinois enacted the Biometric Information Privacy Act specifically to protect residents from unauthorized biometric data collection, yet Getaround allegedly operated for years without compliance. | high |
| 02 | BIPA requires companies to inform users in writing before collecting biometric data, disclose specific purposes and retention periods, obtain written releases, and publish public retention policies. Getaround allegedly ignored all four requirements. | high |
| 03 | The Illinois legislature explicitly recognized that biometrics cannot be changed if compromised, unlike social security numbers, yet enforcement mechanisms failed to prevent this alleged five-year violation pattern. | medium |
| 04 | Chicago was selected as a pilot testing site for biometric-facilitated transactions, making BIPA protections especially critical, but the alleged violations suggest regulatory oversight was insufficient. | medium |
| 05 | The lawsuit emerged only through private class action rather than proactive regulatory enforcement, indicating state agencies either lacked resources or failed to monitor compliance. | medium |
| 06 | The complaint states Getaround is subject to all BIPA requirements as a private entity, yet the company operated an identity verification system that allegedly violated the statute on multiple grounds simultaneously. | high |
Profit Over People
The corporate calculus behind the alleged violations · 7 points
| 01 | Getaround allegedly streamlined its user onboarding process by collecting facial geometry for identity verification while bypassing the legally required consent procedures that would have slowed signups. | high |
| 02 | The platform marketed itself directly to Illinois residents through pay-per-click advertising, Facebook ads, Instagram ads, and targeted social media campaigns, aggressively pursuing user growth in a jurisdiction with strict biometric protections. | medium |
| 03 | By collecting biometric data without proper disclosures or written consent forms, Getaround eliminated friction in the signup process that competitors following BIPA requirements would have faced. | high |
| 04 | The company allegedly retained facial geometry data indefinitely after verification was complete rather than destroying it, maintaining a database that could provide ongoing commercial or analytical value. | high |
| 05 | Getaround shared users’ biometric information with service providers, contractors, business partners, and collection agencies, extending the data’s utility beyond the stated verification purpose. | high |
| 06 | The alleged violations affected all Illinois users systematically as part of Getaround’s standard procedures, suggesting a deliberate business model choice rather than isolated oversights. | high |
| 07 | Even if caught, the company may have calculated that settlement costs or statutory damages would be less expensive than implementing full BIPA compliance measures from the outset. | medium |
Economic Fallout
Financial consequences for users and the company · 6 points
| 01 | If Getaround’s database containing facial geometry scans is hacked or breached, affected users have no means to prevent identity theft or unauthorized tracking because biometric identifiers cannot be changed. | high |
| 02 | The lawsuit seeks statutory damages of up to $5,000 per intentional violation or $1,000 per negligent violation, creating potential liability in the millions for violations affecting over 1,000 Illinois residents. | high |
| 03 | Users whose biometric data was collected face heightened lifelong risk for identity theft and are likely to withdraw from biometric-facilitated transactions due to compromised trust. | high |
| 04 | The plaintiff also seeks actual damages, reasonable attorneys’ fees, costs, and litigation expenses, potentially adding significant financial burdens beyond statutory penalties. | medium |
| 05 | Getaround’s alleged disclosure of biometric data to collection agencies and business partners multiplies the exposure risk, as each third party represents another potential breach point. | high |
| 06 | The case is brought under both diversity jurisdiction and the Class Action Fairness Act, with the amount in controversy exceeding $5 million, indicating the scale of potential economic impact. | medium |
Public Health and Safety
Irreversible risks to personal security · 6 points
| 01 | Facial geometry scans are unique, permanent biometric identifiers that cannot be changed or replaced if stolen or compromised, unlike passwords or credit card numbers. | high |
| 02 | The complaint emphasizes that once biometric data is compromised, individuals have no recourse and face heightened risk for identity theft for the rest of their lives. | high |
| 03 | Getaround’s alleged failure to destroy biometric data after the verification purpose was satisfied means users’ irreplaceable facial geometry remains in storage indefinitely, accumulating risk over time. | high |
| 04 | The Illinois legislature found that individuals whose biometrics are compromised are likely to withdraw from biometric-facilitated transactions, restricting their access to modern services and technologies. | medium |
| 05 | Courts have analogized privacy interests in biometric data to protection from trespass, recognizing that unauthorized collection violates individuals’ private domain. | medium |
| 06 | The alleged disclosure of facial geometry to multiple third parties exponentially increases the chance of misuse, unauthorized tracking, or exposure through security breaches at any of those entities. | high |
Community Impact
How Illinois residents were affected · 7 points
| 01 | Getaround targeted Illinois residents specifically through location-based social media marketing campaigns focused on individuals residing within the City of Chicago and State of Illinois. | medium |
| 02 | The plaintiff states that Getaround’s marketing efforts directed toward Illinois were a factor in his decision to open an account, making the targeted nature of the alleged violations particularly concerning. | medium |
| 03 | All violations of BIPA occurred while the plaintiff and proposed class members were located in Illinois, making them subject to a law specifically designed to protect them from exactly this type of data collection. | high |
| 04 | Chicago was selected by major national corporations as a pilot testing site for biometric-facilitated financial transactions, making residents particularly vulnerable to experimental data collection practices. | medium |
| 05 | The proposed class includes all Illinois residents who had their biometric information collected by Getaround at any point in the five years preceding the complaint filing in October 2024. | medium |
| 06 | The complaint estimates that more than 1,000 people satisfy the class definition, indicating widespread impact across Illinois communities. | medium |
| 07 | Illinois residents who opened Getaround accounts were never given the opportunity to make an informed decision about whether to share their facial geometry, robbing them of control over their most personal data. | high |
Corporate Accountability Failures
How Getaround avoided responsibility · 7 points
| 01 | Getaround’s identity verification process simply instructed users to upload a selfie video as a step in verification, making no mention that this constituted biometric information collection subject to legal protections. | high |
| 02 | The company made no mention of biometric information, collection of biometric information, or storage of biometric information at any point in the user interface or signup flow. | high |
| 03 | At all relevant times, Getaround had no written policy made available to the public establishing retention schedules and guidelines for destroying biometric data, despite BIPA’s explicit requirement. | high |
| 04 | The alleged collection and retention practices were not unique to the plaintiff but part of Getaround’s policy and procedures applied to all users, indicating systematic rather than accidental violations. | high |
| 05 | Users were prompted to allow Getaround to collect facial geometry but were told only that this was to verify identity and ensure they met standards required to access the application, obscuring the true nature and permanence of the data collection. | high |
| 06 | The complaint alleges Getaround is a private entity as defined by BIPA and subject to all its requirements, yet the company allegedly structured its entire verification system in violation of the statute. | high |
| 07 | Despite collecting sensitive biometric data that exposes users to serious and irreversible privacy risks, Getaround allegedly failed to implement even the most basic safeguards required by Illinois law. | high |
The Bottom Line
What this case reveals · 8 points
| 01 | This lawsuit exposes how a major technology platform allegedly collected irreplaceable biometric data from thousands of users while ignoring every single requirement of a law specifically designed to prevent such collection. | high |
| 02 | The allegations demonstrate that even in jurisdictions with strong privacy protections like Illinois, companies may choose to bypass legal safeguards in pursuit of frictionless user growth and data acquisition. | high |
| 03 | Facial geometry data cannot be changed if compromised, meaning the alleged violations create permanent, irreversible risks for every affected user that will persist for their entire lives. | high |
| 04 | The case illustrates how corporate platforms can embed privacy violations directly into standard operating procedures, normalizing illegal data collection as routine business practice. | high |
| 05 | By allegedly sharing users’ biometric data with service providers, contractors, business partners, and collection agencies, Getaround multiplied the risk exponentially while users remained unaware their facial scans were being disseminated. | high |
| 06 | The lawsuit seeks class certification to represent all affected Illinois residents, recognition that only collective action can effectively challenge systematic corporate privacy violations. | medium |
| 07 | Whether through negligence or intentional disregard, the alleged five-year pattern of BIPA violations shows how profit-driven platforms can operate for years without facing consequences until private litigation forces accountability. | high |
| 08 | This case serves as a warning that biometric data collection is accelerating across industries, and without robust enforcement, similar violations will continue to expose consumers to irreversible privacy harms. | high |
Timeline of Events
2008
Illinois enacts the Biometric Information Privacy Act (BIPA) to protect residents from unauthorized collection of biometric identifiers.
2019-2024
Getaround allegedly collects facial geometry scans from Illinois users during account creation without proper BIPA compliance over a five-year period.
Within 5 years before October 2024
Plaintiff Cory Anderson opens a Getaround account and is prompted to upload a selfie video, which the company uses to scan his facial geometry without written notice or consent.
May 1, 2024
Getaround’s Privacy Policy dated May 1, 2024 describes the vetting data collection process but allegedly fails to meet BIPA’s written disclosure requirements.
October 4, 2024
Cory Anderson files a class action complaint in the U.S. District Court for the Northern District of Illinois alleging multiple BIPA violations.
Direct Quotes from the Legal Record
QUOTE 1
The irreplaceable nature of biometric data
allegations
“Facial geometry scans are unique, permanent biometric identifiers associated with each user that cannot be changed or replaced if stolen or compromised.”
💡 This establishes why biometric violations are fundamentally different from other data breaches and why BIPA protections are so critical.
QUOTE 2
Legislative recognition of unique risks
regulatory
“For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
💡 The Illinois legislature explicitly recognized that biometric data breaches cause permanent, irreversible harm unlike any other type of privacy violation.
QUOTE 3
Complete lack of disclosure
allegations
“Getaround made no mention of biometric information, collection of biometric information, or storage of biometric information.”
💡 Users had absolutely no way to know their facial geometry was being captured and stored, making informed consent impossible.
QUOTE 4
Systematic policy violations
accountability
“Getaround’s collection and retention of biometric information as described herein is not unique to Plaintiff and is instead part of Getaround’s policy and procedures which Getaround applies to all of its users, including the Class Members.”
💡 This was not an isolated mistake but an intentional business practice applied to potentially thousands of users.
QUOTE 5
Failure to destroy data
accountability
“At all relevant times, Getaround had no written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for collecting or obtaining such biometric information has been satisfied or within 3 years of the individual’s last interaction with Getaround, whichever occurs first.”
💡 Without a destruction policy, users’ facial scans remain in Getaround’s systems indefinitely, accumulating risk over time.
QUOTE 6
Unauthorized third-party disclosure
allegations
“Getaround disclosed, redisclosed or otherwise disseminated Plaintiff’s biometric information to its service providers, contractors, business partners, and collection agencies.”
💡 The company shared irreplaceable biometric data with multiple third parties without user authorization, multiplying the exposure risk.
QUOTE 7
Privacy as analogous to trespass
health
“Courts analogize an individual’s privacy interest in their unique biometric data to their interest in protecting their private domain from invasion, such as from trespass.”
💡 Legal precedent recognizes that unauthorized biometric collection is as serious as physical invasion of private property.
QUOTE 8
Chicago as testing ground
community
“The City of Chicago, which has been selected by major national corporations as a pilot testing site for new applications of biometric-facilitated financial transactions, including finger-scan technologies at grocery stores, gas stations, and school cafeterias.”
💡 Illinois residents are particularly vulnerable to biometric data collection experiments, making BIPA protections especially important.
QUOTE 9
The verification process
allegations
“You shall submit in addition to other Personal Data you may have already provided to us, the following information taken via our App on your smartphone (the ‘Vetting Data’): Photo (front and back) of your driving license; Photo of your I.D. card (only if you have a paper driving license or a non E.U. driving license); a video of you reading three numbers and turning your head.”
💡 This shows exactly how Getaround collected facial geometry through the video requirement without explaining it was capturing biometric data.
QUOTE 10
Targeting Illinois residents
community
“Getaround’s marketing efforts directed towards Illinois were a factor in Plaintiff’s decision to open an account.”
💡 The company actively recruited Illinois users while allegedly ignoring the state’s biometric privacy protections.
QUOTE 11
Scope of class action
conclusion
“All Illinois residents who had their biometric information collected by Defendant at any point in the five (5) years preceding the filing of this Complaint.”
💡 The proposed class encompasses five years of alleged violations, potentially affecting thousands of Illinois residents.
QUOTE 12
BIPA as private entity obligation
regulatory
“Getaround, Inc. is a ‘private entity’ as that term is broadly defined by BIPA and is subject to all requirements of BIPA.”
💡 The company cannot claim exemption from BIPA’s requirements and was legally obligated to comply with all provisions.
QUOTE 13
Damages sought
economic
“Statutory damages of $5,000.00 for the intentional and reckless violation of BIPA pursuant to 740 ILCS § 14/20(2), or alternatively, statutory damages of $1,000.00 pursuant to 740 ILCS § 14/20(1) in the event the court finds that Defendant’s violations of BIPA were negligent.”
💡 The financial stakes are enormous, with potential damages ranging from $1,000 to $5,000 per violation multiplied across potentially thousands of class members.
QUOTE 14
No written consent obtained
allegations
“Getaround collected, stored, and used Plaintiff’s biometric information without ever receiving a written release executed by Plaintiff which would consent to or authorize Getaround to do the same.”
💡 The company never obtained the fundamental written consent that BIPA requires before collecting any biometric data.
QUOTE 15
Exposure to irreversible risks
health
“Getaround’s unlawful collection, obtainment, storage, and use of its user’s biometric data exposes them to serious and irreversible privacy risks.”
💡 The alleged violations create permanent vulnerabilities that affected users will carry for the rest of their lives.
Frequently Asked Questions
What is the Getaround lawsuit about?
Illinois resident Cory Anderson filed a class action lawsuit claiming Getaround collected facial geometry scans from users during account creation without providing written notice, disclosing how long the data would be stored, obtaining written consent, or maintaining a public data retention policy as required by Illinois biometric privacy law.
What is facial geometry and why does it matter?
Facial geometry is a biometric identifier created by scanning the unique measurements and contours of your face. Unlike passwords or credit cards, facial geometry is permanent and cannot be changed if stolen or compromised. If this data is breached, you face lifelong risk of identity theft and unauthorized tracking.
What is BIPA and what does it require?
BIPA is the Illinois Biometric Information Privacy Act, enacted in 2008 to protect residents from unauthorized collection of biometric data. It requires companies to inform users in writing that biometric data is being collected, disclose the specific purpose and retention period, obtain written consent, and publish public policies for permanently destroying the data.
What did Getaround allegedly do wrong?
The lawsuit alleges Getaround violated all four core BIPA requirements. The company allegedly collected facial scans without written notice, never disclosed how long the data would be stored or for what purpose, never obtained written consent, never published a retention policy, failed to destroy the data after verification was complete, and shared it with third parties without authorization.
How did Getaround collect facial geometry?
During account creation, Getaround instructed users to upload a selfie video where they read three numbers and turned their heads. The complaint alleges this process captured facial geometry scans but Getaround never informed users that biometric information was being collected or that it would be stored.
Who is affected by this lawsuit?
The proposed class includes all Illinois residents who had their biometric information collected by Getaround at any point in the five years before October 2024. The complaint estimates more than 1,000 people may be affected.
What damages is the lawsuit seeking?
The lawsuit seeks statutory damages of $5,000 per violation if the court finds Getaround’s actions were intentional or reckless, or $1,000 per violation if found negligent. It also seeks actual damages, attorneys’ fees, costs, and a court declaration that Getaround violated BIPA.
Did Getaround share my facial scan with other companies?
The complaint alleges that Getaround disclosed or disseminated users’ biometric information to service providers, contractors, business partners, and collection agencies without user consent and without legal authorization.
Why did Getaround keep the facial scans after verifying my identity?
The lawsuit claims that once identity verification was complete, Getaround should have permanently destroyed the facial geometry data under BIPA. Instead, the company allegedly retained the data indefinitely without any public policy explaining when or how it would be destroyed.
What can I do if I created a Getaround account in Illinois?
If you are an Illinois resident who created a Getaround account in the past five years and had to upload a selfie video, you may be part of the class action. You can contact the attorneys representing the plaintiff, monitor the case for updates, or consult your own attorney about your rights under BIPA.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
