An obscure law could lead to broader limits on biometrics.
These days, many of us regularly feed pieces of ourselves into machines for convenience and security. Our fingerprints unlock our smartphones, and companies are experimenting with more novel biometric markers—voice, heartbeat, grip—as ID for banking and other transactions. But there are almost no laws in place to control how companies use such information. Nor is it clear what rights people have to protect scans of their retinas or the contours of their face from cataloging by the private sector.
There’s one place where people seeking privacy protections can turn: the courts. A series of plaintiffs are suing tech giants, including Facebook and Google, under a little-used Illinois law. The Biometric Information Privacy Act, passed in 2008, is one of the only statutes in the U.S. that sets limits on the ways companies can handle data such as fingerprints, voiceprints, and retinal scans.
At least four of the suits filed under BIPA are moving forward. “These cases are important to scope out the existing law, perhaps point out places where the law could be improved, and set principles that other states might follow,” says Jeffrey Neuburger, a partner at law firm Proskauer Rose.
The bankruptcy of fingerprint-scanning company Pay By Touch spurred BIPA’s passage. Hundreds of Illinois grocery stores and gas stations used its technology, allowing customers to pay with the tap of a finger. As the bankrupt company proposed selling its database, the Illinois chapter of the American Civil Liberties Union drafted what became BIPA, and the bill passed with little corporate opposition, says Mary Dixon, legislative director of the Illinois ACLU.
Under the Illinois law, companies must obtain written consent from customers before collecting their biometric data. They also must declare a point at which they’ll destroy the data, and they must not sell it. BIPA allows for damages of $5,000 per violation. “Social Security numbers, when compromised, can be changed,” the law reads. “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, [and] is at heightened risk for identity theft.”
In April 2015, Chicagoan Carlo Licata, a Morgan Stanley financial adviser, sued Facebook under BIPA, arguing that the company violated his privacy by using its facial-recognition software to create a detailed geometric map of his face and tag him in photos.
Two more Illinois residents filed complaints against Facebook the following month. That June a logistics engineer and paratriathlete named Brian Norberg brought an almost identical suit against the photo-sharing site Shutterfly. Two more plaintiffs sued video game publisher Take-Two Interactive Software on similar grounds in October, and two more went after Google in March. The companies declined to comment for this story.
“I think people had really imagined, well, biometrics, it’s got to be an in-person thing. You walk in front of a facial scanner,” says Mark Eisen, a lawyer at Sheppard Mullin in Chicago who specializes in consumer privacy and class-action suits. (He’s not involved in any of the cases.) “So that first lawsuit got a lot of attention, and follow-up lawsuits happened pretty quickly.” Most of the suits focus on photo tagging; in Take-Two’s case, the plaintiffs are worried about the game maker’s creation of realistic digital look-alikes using their facial profiles.
Take-Two has argued that the plaintiffs lack standing because they haven’t claimed harm. The lawsuit against Shutterfly survived a motion to dismiss in December and ended with an undisclosed settlement in April. In the Facebook suit, the plaintiffs are seeking information about, among other things, Facebook’s marketing of and third-party access to its faceprint database. Facebook is arguing that BIPA was meant to apply to physical facial scans and shouldn’t apply to photos.
National efforts to establish biometric guidelines haven’t gone well. In 2014 a Department of Commerce agency led an effort to develop a code of conduct for companies using facial-recognition technology, but consumer advocates withdrew from the group the following year, saying tech companies refused to consider the most modest of privacy protections. The effort yielded an unenforceable set of privacy recommendations, published in June.
Part of the problem is that government agencies often have an interest in looser consumer protections. In May the Department of Justice proposed exempting the FBI’s facial-recognition program, called Next Generation Identification, from privacy protections. In June the Government Accountability Office reported that the FBI program failed tests of accuracy and privacy. So far the report hasn’t led to any action.
In Canada and Europe, Facebook stopped offering tag suggestions on photos following pressure from regulators to obtain consent to collect people’s images. In the U.S., BIPA has become a target. Just before Memorial Day, with the Illinois legislature rushing to finish its session, Democratic state Senator Terry Link proposed an amendment to the statute that would have excluded photos and digital images from protection and neatly undercut the lawsuits.
The ACLU’s Dixon says the amendment was Facebook’s doing. Link declined to comment. Following outrage from advocacy groups such as the ACLU and the Electronic Frontier Foundation (EFF), it was shelved without a vote, but there’s nothing stopping its reintroduction.
“This measure was introduced right before the Memorial Day weekend and could have been passed and changed the law over that weekend,” says Jennifer Lynch, a senior staff attorney at EFF. “If we only have one state with a law that protects use from commercial biometric data collection, and it’s so easy to change that law, it just shows how tenuous the protections on our privacy are.”
The bottom line: For now, an Illinois statute is the strongest check on corporate use of biometric data such as fingerprints and facial profiles.