Biometric Privacy Laws: A Help or Hindrance in the Age of Technology
In the days before the internet offered consumers one-stop-shopping sites, such as Amazon, the issue of protecting customer information was not a legal one. When a customer left behind personal information, it was so the store could reach the customer to discuss the status of the service being provided. Today, the internet has provided a platform for retailers to go digital.
One recent advancement in the field of digitized commerce is the use of biometric recognition technology to authenticate users. Unlike other forms of data (such as passwords) and other personally identifying information (such as phone numbers and e-mail addresses), biometric information (such as fingerprints, facial scans, and iris patterns) is unable to be changed by the user. Alarmingly, the current iterations of most states’ privacy laws do not adequately provide protection of collected biometric data.
Three states currently have enacted versions of a Biometric Information Privacy Act (“BIPA”).1 The states with some ratified version of BIPA are Washington, Texas, and most notably, Illinois.2 A handful of other states are attempting to enact their own version of BIPA: Alaska, California, Idaho, Montana, New Hampshire, Massachusetts, Connecticut, and New York.3
Illinois’ version of BIPA is most notable because it is the strictest. It requires companies to receive prior written consent from users before using biometric data.4 This has led to results that have upset some Illinois citizens.
One example was when the Google Arts & Culture app went viral. The app allowed users to upload pictures of themselves and find out if their facial characteristics matched figures in historical paintings. Those living in Illinois were precluded from participating because their BIPA law forbid the use of facial scan technology needed to operate the app.5
Some tech supporters ardently oppose BIPA laws, like Illinois’, arguing they are “a roadblock to even some rudimentary uses of biometrics.”6 These proponents of technology advancements, likewise, argue that the concerns BIPA was enacted to address, such as “widespread identity theft and government surveillance,”7 have not come to pass. Proponents of amending BIPA laws to be less restrictive often cite to the fact that legislators that originally introduced BIPA in Illinois have attempted to amend the law, because they “never intended to restrict many of these activities.”8
Regardless of where you stand on the merit of BIPA laws, recent litigation in Illinois has far reaching effects for the future of Tort law, in particular privacy-centric cases. The Illinois Supreme Court recently decided that actual harm, beyond a violation of personal rights under the statute, is not necessary to file suit against a corporation under Illinois’ BIPA law.9 Actual harm, or the existence of damages, has long been a requirement to gain standing – the ability to bring suit – in courts of law. The landmark decision in Six Flags amends this requirement by permitting suits to go forward if a person’s rights under BIPA have been violated, even in instances in which no actual damages exist. Damages have long been a primary concern of civil lawsuits, because their goal is making a plaintiff (victim) whole after they have suffered a wrong. Generally, this is accomplished by allowing the plaintiff to recoup the money they have lost as a result of the wrong they suffered. One wonders what remedy awaits those suing under BIPA, if they have not suffered actual harm or damages. This decision may open the floodgates to litigation against all companies operating in Illinois, a result that will be both costly to the corporations, and the courts that have their dockets bogged down by cases.
Responses to the decision reached in the Six Flags case have been mixed. Advocates of protecting individual privacy lauded the decision. The Electric Frontier Foundation, for example, referred to the ruling as a privacy victory.10 The Illinois Chamber of Commerce, on the other hand, fears the consequences the ruling might have on the continued commercial health of Illinois.11
With the Illinois Supreme Court’s decision potentially opening the floodgates to a myriad of BIPA related litigation, it will be interesting to see how Illinois courts, courts in other states with BIPA laws, and the federal courts handle BIPA litigation in the future. Questions of implied consent and constitutional standing, however, have remain unanswered, at least by the Illinois Supreme Court. One thing remains clear. As technology advances, lawmakers must act to insure the law is likewise advancing.
Danny Thakkar, U.S. States Enact BIPA: Legal Framework for Biometric Information Privacy, Bayometric (May 7, 2018), https://www.bayometric.com/u-s-states-enact-bipa/ (last visited Mar. 5, 2019). [https://perma.cc/Z9AM-RP2G]↩
Biometric Info. Privacy Act, 740 Ill. Comp. Stat. 14/10 (2008).↩
Daniel Castro, When Do Privacy Regulations Go Too Far?, GovTech: Sounding Off (Jul./Aug. 2018), http://www.govtech.com/opinion/When-Do-Privacy-Regulations-Go-Too-Far.html (last visited Mar. 5, 2019). [https://perma.cc/99ZZ-SUTT]↩
Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (Jan 25, 2019).↩
Jennifer Lynch & Adam Schwartz, Victory! Illinois Supreme Court Protects Biometric Privacy, Elec. Frontier Found., (January 25, 2019), https://www.eff.org/deeplinks/2019/01/victory-illinois-supreme-court-protects-biometric-privacy (last visited Mar. 5, 2019). [https://perma.cc/7DUJ-LPWS]↩
Ben Winck, Illinois Supreme Court ruling bolsters consumers’ biometric privacy, Crain’s Chi. Bus., (January 25, 2019, 2:20 PM), https://www.chicagobusiness.com/node/833016/printable/print (last visited Mar. 5, 2019). [https://perma.cc/FZ2L-VHPH]↩