The defining feature of neighborhood facial recognition is that the people it scans are not its customers. They are the mail carrier, the dog walker, the friend stopping by, the stranger walking past. They bought nothing, signed nothing, and were never asked. A new class action filed against Amazon over Ring’s “Familiar Faces” feature is built entirely on that asymmetry — and it may be the case that finally forces a reckoning with it.

Charles Sigwalt, a Virginia resident, filed suit in Seattle alleging that Ring’s Familiar Faces feature violates biometric privacy protections by scanning millions of people who never consented to facial recognition. Sigwalt says he visited the homes of friends and family where Ring cameras with Familiar Faces were active, and that his biometric facial data was collected without notice or compensation. He never bought a Ring device. He never agreed to Ring’s terms of service. He never consented to being biometrically scanned. According to the lawsuit, none of that stopped the scanning from happening.

How “Familiar Faces” works

Ring announced Familiar Faces last September and, after pushback, launched it in December. The feature lets a Ring owner identify recurring visitors and receive personalized alerts — once the owner labels someone, the system recognizes that person by name on future visits. To do that, the camera must build and store a facial template: a mathematical representation of a face derived from analyzing the image. That is biometric data, and generating it requires scanning every face the camera sees, not just the ones the owner cares about.

This is the mechanism at the heart of the legal problem. To recognize “familiar” faces, the system must process all faces. The neighbor who walks past, the delivery driver, the child selling cookies — each is scanned so the software can decide whether they match a labeled person. The non-customers are not incidental to the system; they are its raw material.

Sigwalt’s claims draw on the body of biometric privacy law — most prominently exemplified by Illinois’s Biometric Information Privacy Act — that treats a faceprint as something a company cannot collect without informed, written consent from the person it belongs to. The genius and the difficulty of that legal theory collide directly in the Ring case.

The genius: biometric law correctly recognizes that your face is not something you can change. A leaked password gets reset; a compromised faceprint is yours for life. So the law demands consent before collection, not merely disclosure after.

The difficulty: how does any consent regime apply to a system that scans people who have no relationship with the company at all? Ring’s terms of service govern the relationship between Amazon and the device owner. They cannot bind the visitor, because the visitor never entered into them. There is no screen on which the passing pedestrian clicks “I agree.” The consent architecture that companies rely on simply has no point of contact with the person being scanned.

That is precisely why this case is significant. It tests whether biometric law reaches the bystander — the person whose face is captured not because they used a product, but because they walked within range of someone else’s.

Amazon’s defenses, and their limits

Amazon has emphasized several safeguards: Familiar Faces is off by default, it will not launch in Illinois, Texas, or Portland (jurisdictions with strict biometric enforcement), face data is encrypted, it is not shared with third parties, and unidentified faces are automatically deleted after 30 days.

Notice what those defenses do and do not address. Geographic carve-outs for Illinois and Texas are a tacit admission that the feature would be legally vulnerable under strong biometric statutes — Amazon is routing around the laws rather than complying with them everywhere. Encryption and non-sharing address what happens to the data after collection. The 30-day deletion window addresses retention. None of them address the core allegation: that the scanning of non-consenting bystanders happens at all. A faceprint that is encrypted, unshared, and deleted in 30 days was still generated without consent. The harm in biometric law is the unconsented collection itself.

Why this case matters beyond Ring

The Electronic Frontier Foundation and Senator Ed Markey both warned against Familiar Faces before launch, and the reason is structural. Ring is not one camera; it is a distributed network of millions of privately owned, often street-facing cameras. Add facial recognition to that network and you have, in effect, a crowdsourced facial-surveillance grid covering residential streets across the country — built device by device, with each owner consenting only for themselves and no one consenting for the people actually being watched.

The Sigwalt case asks whether the law will treat that grid as a collection of private choices or as a mass biometric system that captures the unconsenting public. If bystanders have no standing to object to being scanned, then neighborhood facial recognition becomes effectively unregulated by consent — because the people with the strongest claim are the ones with no contractual relationship to sue over. If they do have standing, the entire model of “off by default, owner opts in” collapses, because the owner cannot opt in on behalf of the street.

That is the question now sitting in a Seattle courtroom. Your face was scanned by a camera you do not own, attached to a service you never used, under terms you never accepted. The lawsuit asks whether that is a violation. The answer will shape whether facial recognition can be quietly deployed across every front porch in America.