A US federal judge on Thursday denied Target Corporation’s (Target) motion to dismiss a class-action lawsuit alleging the retailer collected and stored customers’ biometric data without proper notice or consent.

A class-action lawsuit was filed in May 2024 by four Illinois residents on behalf of shoppers in the state. The plaintiffs allege that Target violated the Illinois Biometric Information Privacy Act (BIPA), which regulates the collection, storage, and use of biometric data such as facial scans and fingerprints.

According to the lawsuit, Target uses surveillance cameras with facial recognition technology to monitor shoplifting. The plaintiffs claim that Target failed to inform customers in writing or obtain their consent before collecting biometric data. They also allege that Target did not disclose how the data is used, how long it is stored, or whether it is shared with third parties.

Target argued the lawsuit should be dismissed because the plaintiffs’ claims were speculative and lacked sufficient evidentiary support.

The court rejected these arguments and ruled that the plaintiffs had provided sufficient detail to make their allegations plausible. This is sufficient at this stage of litigation because the central inquiry is whether the case merits further proceedings for examination. The court’s order requires Target to respond to the complaint by December 13, 2024.

This lawsuit is one of several class-action cases against companies involving alleged privacy violations across the US. A similar BIPA lawsuit was filed against Amazon in September 2023. It alleged that Amazon collected and shared biometric data, such as facial and hand geometry scans, through its JWO hardware without notice or consent. The suit also claimed that Amazon failed to publish retention and destruction policies and profited by selling the technology to other retailers. The court similarly denied Amazon’s motion to dismiss on November 6, 2024, with pre-trial proceedings set to begin in January 2025.