Regulators have been trying to make big tech companies pay for the way they collect and sometimes misuse user data. Meanwhile, one state is literally making them pay — and it’s making them pay directly to consumers.
Illinois is one of the few states in the United States that has a law that requires companies to obtain the consent of customers before collecting their biometric data. In the year The 2008 regulation is seen as the toughest in the country. The law, called the Biometric Information Privacy Act (BIPA), isn’t just mandatory. Require companies to obtain consent from individuals before collecting biometric data such as fingerprints or facial geometry scans. It also sets rules for how companies must protect such data, prohibits companies from selling Illinois residents’ biometric data, and allows Illinois residents to sue companies for violations of the law.
In the 15 years since its release, services that use biometric data — from palm print grocery shopping to facial recognition software to unlock your smartphone — It is becoming increasingly common. But the law in the United States did not last. There is no federal law on the issue, and among the select few states that have taken action, Illinois’ law appears to be particularly effective.
“This is the gold standard law,” said Chad Marlow, senior policy adviser at the American Civil Liberties Union.
As a result, Illinois has become a benchmark for regulating biometric technologies such as facial recognition software. Groups like the ACLU and private consumers have used the law to sue a growing list of prominent companies, from Facebook to Snapchat, and in some cases restrict the behavior of tech companies that offer products and services in the state. In the process, he sent a message about the importance of personal data privacy, which goes a long way. Beyond Illinois.
In Illinois, BIPA came about at least in part because of concerns over data collected by a bankrupt fingerprint-scanning payment company that then went belly-up. Lawmakers are concerned that data collected by Pay By Touch, which was located at Jewel-Osco grocery stores in the Chicago area, could be sold following the collapse (the company was put up for auction).
In the year An early 2008 draft of the law mentioned Pay By Touch by name and, unlike a Social Security number, biometric identifiers are “biologically unique” and cannot be easily changed if compromised.
“The full implications of biometric technology are not fully known,” the law says.
Indeed, at the time, companies in the United States were pursuing biometric technologies, but consumers were not as familiar with them as we know them today—and the impact of these technologies was impossible to quantify. Facebook started using facial recognition software in 2011. It wasn’t until 2010, for example, that it began automatically tagging users in pictures uploaded to social media, and in 2013, Apple added a fingerprint sensor to the iPhone to unlock the device. BPA was passed in the US 12 years ago before it was first wrongfully banned.
One of the most powerful provisions of the law is that it allows individuals to be prosecuted instead of leaving it up to the government, experts say. (Texas and Washington, which have their own similar laws, leave the decision to take legal action to their state attorneys general). Companies found to have “intentionally or recklessly” violated BIPA can be fined up to $5,000 for each violation. Those who negligently violate the law can be fined up to $1,000 per violation.
The right to sue is “one of the only ways to get companies to take compliance seriously,” says Haile Tsukayama, senior attorney at the digital rights advocacy group Electronic Frontier Foundation. And of course it’s one of the reasons why people hate it so passionately.
Despite BIPA’s legal teeth, the law didn’t take full effect until 2015. That year, Chicago-based attorney Jay Edelson of the firm Edelson PC led a class-action lawsuit against Facebook alleging that the social network violated BIPA by using facial recognition software to identify people in users’ photos and allow users to tag those people by name. Essentially, the suit contends that Facebook is collecting and storing users’ facial biometric data — the geometric measurements of their faces gleaned from photos — without first asking or asking for consent, which is required by Illinois law.
“Our client was literally worried about losing biometrics,” Edelson said of the original plaintiff’s decision to sue the social network.
Facebook filed the lawsuit in 2015. He agreed to settle for $550 million in early 2020, which the judge raised to $650 million in March 2021. (It’s much higher than what people receive in many class-action lawsuit settlements.)
Since then, Edelson has worked on dozens of BIPA cases and estimates that more than 500 cases have been violated under the Act. Most of the lawsuits relate to companies that use systems that allow employees to clock in or out with a fingerprint or face, but in addition to Facebook, several large tech companies have agreed to class-action settlements worth hundreds of millions of dollars.
Last year, TikTok agreed to pay $92 million to settle a class-action lawsuit alleging it illegally collected biometric data from users and shared it with other companies. The addiction is split into a national division and an Illinois division, with those in the Illinois division receiving six times more money because of BIPA. Google agreed to pay $100 million in April to settle a lawsuit related to the photo collection feature on Google Photos, and Snapchat’s parent company Snap agreed to pay $35 million in August to settle a lawsuit related to filters and lenses in the Snap app. (None of these companies have admitted wrongdoing.)
“In the big picture, all of these ideals work in tandem, which is what makes BIPA so powerful,” Marlow said.
The consequences aren’t always limited to the money billed to consumers, and the effects of addiction can reach far beyond Illinois state lines. For example, a settlement with controversial facial recognition company Clearview AI (which Edelson took on behalf of the ACLU and other nonprofit groups) had a major impact when it was settled earlier this year: a settlement. The company doesn’t sell the software to most companies in the U.S. — a decision that largely limits its use to law enforcement agencies in the country.
The outcome of the suit is “a total game changer in our minds,” Edelson said.
The Facebook lawsuit could have implications beyond Illinois. In the year In November 2021, less than a year after a judge increased the BIPA settlement, the company said it would stop using facial recognition software to automatically recognize people in photos and videos. It has announced that it will delete the relevant data associated with more than a billion people’s faces (it is still working on facial recognition technology, but may use it in future products).
“I’m not sure if this decision would have been made if it hadn’t been for BIPA, but certainly that decision would have eliminated BIPA’s non-compliance with facial images and facial geometry,” said law professor Liar Strahilevitz. University of Chicago.
Facebook did not respond to a request for comment. The company did not mention BIPA when it announced its decision to stop using the technology.
To avoid even the possibility of breaking the law, some companies have gone so far as to decide not to sell products in the state – for example, from Sony’s IBO robot dog; The company says it uses facial recognition software to mimic the behavior of a real pet and “behave differently with people you know.”
Some other companies are restricting features that involve biometrics to people who live outside of Illinois. This was in 2018, after Google added a feature to the Google Arts & Culture app that allowed people to take selfies and compare them to historical photos to find what your mug looks like.
“That certainly wasn’t available in Illinois, and there was some local kind of, ‘Huh, this is fun. Why can’t we use that?’ Strahilevitz said.
Following the passage of BIPA, Texas and Washington enacted their biometric laws in 2009 and 2017, respectively. But the laws haven’t been tested much (in 2022, Texas sued Facebook for illegally harvesting Texans’ facial-recognition data), perhaps because it’s the state that decides whether to prosecute rather than citizens.
The basic ideas behind BIPA “seem to be in line with popular sentiment,” Strahilevitz said, but lawmakers in states like California and Maine have tried and failed to pass their own versions of the rule.
One reason for these failures, experts say, is the build-up to such biometric laws, particularly from large and small companies that could be targeted.
However, EFF member Tsukayama, who worked with California State Senator Bob Wieckowsky on a bill that would have created BIPA-like legislation in California, thinks it could be renewed in the future, even though it stalled in committee this spring.
Also, Tsukayama pointed out, “I can change my password, but I can’t change my face.”