Illinois is one of just a few states in the United States that has a law requiring companies to get consumers’ consent before snagging their biometric data, and its rule, passed in 2008, is seen as the toughest in the nation. The law, called the Biometric Information Privacy Act (BIPA), doesn’t just force companies to get permission from people before collecting biometric data like fingerprints or scans of facial geometry. It also sets rules regarding how companies must safeguard such information, prohibits companies from selling Illinois residents’ biometric data, and allows Illinois residents to sue companies for alleged violations of the law.
“It’s the gold standard law,” said Chad Marlow, a senior policy counsel for the American Civil Liberties Union.
As a result, Illinois has become the benchmark for regulating biometric technologies such as facial-recognition software. Groups like the ACLU and individual consumers have used the law to sue a growing list of prominent companies from Facebook to Snapchat, and in some cases curbing the behavior of tech companies offering products and services in the state. In the process, it has sent a message about the importance of personal data privacy that reverberates far beyond Illinois.
How it started
The text of the law, which was introduced in early 2008, mentions Pay By Touch by name and points out that, unlike a Social Security number, biometric identifiers are “biologically unique” and can’t simply be changed if they’re compromised.
“The full ramifications of biometric technology are not fully known,” the law says.
Experts say one of the most powerful provisions of the law is that it allows individuals to sue, rather than leaving it up to the state. (Texas and Washington, which have their own similar rules, leave the decision to take legal action to their states’ attorneys general). Companies found to have “intentionally or recklessly” violated BIPA may owe up to $5,000 for each violation; those found to have violated the law due to negligence may owe up to $1,000 per violation.
That right to sue “has been one of the only ways you get companies to take compliance seriously,” said Hayley Tsukayama, a senior legislative activist for the Electronic Frontier Foundation, a digital rights group. “And it is of course one reason the people who hate it hate it with a burning passion.”
Despite BIPA’s legal teeth, the law didn’t show its full force until 2015. That year, Chicago-based attorney Jay Edelson’s firm, Edelson PC, led a class-action suit against Facebook alleging that the social network violated BIPA with its use of facial-recognition software to identify people in users’ photos and suggest users tag those people by name. The suit argued, essentially, that Facebook was gathering and keeping users’ facial biometric data — measures of their facial geometry gleaned from pictures — without asking in advance or asking for permission, which is against Illinois law.
“Our client was literally worried he would lose his biometrics, and it would be out in the world,” Edelson said of the initial plaintiff’s decision to sue the social network.
Far-reaching impacts
Edelson has since worked on dozens of BIPA lawsuits and estimates that more than 500 suits have been filed alleging violations under the law. Many of the lawsuits relate to companies using systems that make employees clock in or out with a fingerprint or face, but in addition to Facebook numerous big tech companies have also agreed to class-action settlements worth hundreds of millions of dollars.
“In the big picture, it’s all of these suits acting in combination with each other, which is what makes BIPA so powerful,” Marlow said.
The outcome of the suit “is a total game changer, in our minds,” Edelson said.
“I’m not sure that that’s a decision they would have made were it not for BIPA, but certainly making that decision removes the possibility of BIPA non-compliance with facial images, and facial geometry,” said Lior Strahilevitz, a law professor at the University of Chicago.
Facebook did not respond to a request for comment. The company did not mention BIPA when it announced its decision to halt the use of the technology.
“That was definitely not available in Illinois, and there was kind of some local, ‘Huh, that’s interesting. Why can’t we use that?'” Strahilevitz said.
Others try (and fail) to pass similar rules
The basic ideas behind BIPA “seems to be consistent with popular sentiment,” said Strahilevitz, yet legislators in states such as California and Maine have tried and failed to pass their own versions of the rule.
Experts say part of the reason for these failures is that momentum has built up against such biometrics laws, particularly from companies large and small that can be their targets.
After all, Tsukayama pointed out, “I can change a password, but I can’t change my face.”