At the beginning of this year, Google released the Google Arts & Culture app, which included a fun feature where you could upload a selfie of yourself and the app would find your “art twin” in classic portraits from around the world. For Illinois residents, however, this feature was not available because of the Illinois Biometric Information Privacy Act (BIPA). The constructed facial template and the apps’ lack of consent language mandated by BIPA stopped the feature from being released in Illinois. Written into law almost ten years ago, BIPA was the first of its kind and is the template for many of the biometric privacy laws being written today.
What is BIPA?
BIPA imposes strict compliance requirements on the retention, collection, disclosure, and destruction of biometric information. It also carries more weight than many of the other biometric privacy acts drafted in the last decade, as it allows customers to pursue class action lawsuits against companies that violate the law.
A few key features of BIPA include:
- The right to “informed consent” prior to biometric data collection
- A limited right to disclosure of how collected biometric data is used/stored
- Strict obligations and retention guidelines for biometric data
- Prohibition from profiting from biometric data
- The private right of action for individuals harmed by biometric data misuse. For companies, statutory damages can reach $1,000 for each negligent violation and $5,000 for each intentional or reckless violation
Regulating Data and Protecting Users
As more companies utilize biometric verification and authentication, BIPA protects consumers in multiple ways. For example, in a lawsuit against Wow Bao and Lettuce Entertain You, plaintiffs argued that the companies improperly collected facial data at their self-service kiosks. While this may seem trivial to some, citizens have the right to be concerned about how their data is being stored and used. With grocery and retail stores implementing facial recognition systems to track consumer reaction, the law should follow the will of the people and protect them accordingly.
As a result of the strict regulation of biometric data under BIPA, more than 50 companies doing business within Illinois are facing lawsuits in 2018 alone. While not all of these lawsuits are likely to succeed, they serve as an example of how serious laws like BIPA must be taken for firms deploying biometric technologies.
Regulation Post-BIPA
Recently, tech companies have begun to argue that technological advancements make BIPA antiquated. Biometric data storage and collection has evolved at a rapid pace over the last decade, and cyber threats have continued to target citizens, corporations, and governments around the world. Biometric technology’s immutable and secure nature is a solution to these threats. With regulations like BIPA and an uninformed public, however, these advancements aren’t able to be fully leveraged.
To protect consumers privacy while giving enough room for innovation, amendments must be made to the current BIPA protocols, according to tech giants. One such revision is already on the way. In Rosenbach v Six Flags Entertainment, a mother brought the resort to court after finding out that her son’s fingerprints had been collected at a security checkpoint. Because of the lack of consent for the minor’s fingerprints, she claimed Six Flags violated BIPA but did not state any misuse of the biometric data. Since “aggrieved person” had no definition within BIPA, Six Flags fought on the grounds that the minor suffered no adverse effects from the fingerprint scan. The court decided that those filing claims under BIPA must prove harm to the individual whose biometric data was collected.
To address the recent increase of lawsuits under BIPA and the complaints of tech companies, Illinois Senator Bill Cunningham has been working with Google and its lobbyists to rewrite BIPA. According to Senator Cunningham, BIPA should regulate the appropriate aspects of biometric collection and authentication rather than cause a backlog of lawsuits in the courtroom.
In addition, as the GDPR rolls out overseas, many wonder what this means for biometric privacy laws in the United States. Balancing the protection of Illinois citizen’s personal data and the regulation of an ever-evolving technological tool like biometric authentication is no easy feat. Rather than tough regulation, increasing research and educating citizens on these new tools could do more to protect citizens’ privacy. Without dynamic regulation, BIPA and other privacy laws modeled after BIPA could fall into a dangerous cycle of doing more harm than good.
