Regulators have spent years making big tech companies pay for the way they collect and sometimes misuse user data. One state, meanwhile, is literally making them pay – and pay directly to consumers.
The video shown is from a previous report.
Illinois is one of only a few states in the United States that has a law requiring companies to obtain consumer consent before harvesting their biometric data, and its 2008 rule is considered the toughest in the nation. The law, called the Biometric Information Privacy Act (BIPA), not only forces companies to get people’s permission before collecting biometric data like fingerprints or facial geometry scans. It also establishes rules for how companies must protect such information, prohibits companies from selling Illinois resident biometrics, and allows Illinois residents to sue companies for alleged violations of the law.
In the nearly 15 years since its passage, services that use biometrics — from palm recognition for grocery shopping to facial recognition software to unlock your smartphone — have become increasingly common. But legislation in the United States has not kept pace. There is no federal legislation on the issue, and among the select few states that have taken action, Illinois’ law is considered uniquely effective, CNN reported.
“It’s the gold standard law,” said Chad Marlow, a senior policy adviser to the American Civil Liberties Union.
As a result, Illinois has become the benchmark for regulating biometric technologies like facial recognition software. Groups like the ACLU and individual consumers have used the law to sue a growing list of prominent companies from Facebook to Snapchat, and in some cases to curb the behavior of tech companies that offer products and services in the state. In doing so, it sent a message about the importance of protecting personal information that resonated well beyond Illinois.
how it started
In Illinois, BIPA arose, at least in part, from concerns about data collected for fingerprint scans by a bankrupt payment company that then went bankrupt. Lawmakers feared that data collected by Pay By Touch, which was available at Jewel-Osco Chicago-area grocery stores, could be sold after it failed (the company was auctioned off in parts).
The legal text, introduced in early 2008, mentions Pay By Touch by name, pointing out that unlike a social security number, biometric identifiers are “biologically unique” and cannot be easily changed if compromised.
“The full impact of biometric technology is not fully understood,” the law states.
Indeed, companies in the United States were pursuing biometric technologies back then, but consumers weren’t nearly as familiar with them as we are today—and the impact of such technologies was impossible to calculate. It wasn’t until 2010 that Facebook started using facial recognition software, for example to automatically tag users in pictures uploaded to the social network, and in 2013 Apple first added a fingerprint sensor to the iPhone to unlock the device. BIPA was passed 12 years before America’s first known wrongful arrest based on facial recognition.
Experts say one of the law’s most powerful provisions is that it allows individuals to sue, rather than letting the state do it. (Texas and Washington, which have their own similar rules, leave the decision to pursue legal action to their states’ attorneys general). Companies found to have violated BIPA “willfully or recklessly” may be liable for up to $5,000 for each violation; Individuals found to have violated the law through negligence may owe up to $1,000 per violation.
This right to sue “was one of the few ways we got companies to take compliance seriously,” said Hayley Tsukayama, a senior legislation activist for the Electronic Frontier Foundation, a digital rights group. “And of course that’s part of the reason why the people who hate it hate it with a burning passion.”
Despite BIPA’s legal teeth, the law didn’t show its full force until 2015. That year, Jay Edelson’s Chicago-based law firm Edelson PC led a class-action lawsuit against Facebook alleging that the social network violated BIPA with its use of facial recognition software to identify people in user photos and suggest users to associate those people with mark names. The lawsuit essentially argued that Facebook collected and stored users’ facial biometrics — measurements of their facial geometry from images — without first asking or asking for permission, in violation of Illinois law.
“Our client was literally worried that he was going to lose his biometrics and it was going to get out into the world,” Edelson said of the original plaintiff’s decision to sue the social network.
Facebook agreed to settle the lawsuit in early 2020 for $550 million, and a judge upped that amount to $650 million in March 2021 (far more than what people get in many class action settlements.)
Edelson has since worked on dozens of BIPA lawsuits and estimates that more than 500 lawsuits have been filed alleging violations of the law. Many of the lawsuits relate to companies using systems that clock employees in and out with a fingerprint or face, but alongside Facebook, numerous large tech companies have also agreed to class action lawsuits worth hundreds of millions of dollars.
Last year, TikTok agreed to pay $92 million to settle a class action lawsuit alleging that it unlawfully collected biometric data from users and then shared it with other companies. The lawsuit was divided into a national class and an Ilinois class, with those in the Illinois class able to receive up to six times more money due to BIPA. Google agreed to pay $100 million to settle a lawsuit related to a photo grouping feature in Google Photos in April, and Snapchat parent company Snap agreed to pay $35 million to settle a lawsuit in August related to filters and lenses in the Snap app. (None of these companies have admitted wrongdoing.)
“Broadly speaking, all of these suits work in combination, which is what makes BIPA so powerful,” Marlow said.
Findings aren’t always limited to paying out money to consumers, and the impact of the lawsuits can extend beyond Illinois state lines. For example, a settlement with controversial facial recognition company Clearview AI (which Edelson volunteered on behalf of the ACLU and other nonprofit groups) had far-reaching implications when it was settled earlier this year: it resulted in an agreement the company will not distribute its software to the most companies in the United States sell – a decision that largely limits their use to the country’s law enforcement agencies.
The outcome of the lawsuit “is a total game changer in our eyes,” Edelson said.
The Facebook lawsuit may also have had repercussions beyond Illinois. In November 2021, less than a year after a judge increased the amount of its BIPA case settlement, the company said it would stop using facial recognition software to automatically identify people in photos and videos. It also announced it would delete related data associated with the faces of over a billion people (however, it will still be working on facial recognition technology and might use it in its future products).
“I’m not sure they would have made that decision if it wasn’t for BIPA, but that decision certainly eliminates the possibility that BIPA is non-compliant with facial imagery and facial geometry,” said Lior Strahilevitz, a law professor at the university from Chicago.
Facebook did not respond to a request for comment. The company made no mention of BIPA when announcing its decision to stop using the technology.
To avoid even the potential for violations of the law, some companies have gone so far as to choose not to sell a product in the state — as with Sony’s Aibo robotic dog, which the company says mimics the behavior of a real pet by using facial recognition software used to “behave differently towards familiar people”.
Some other companies restrict features that include biometrics to individuals residing outside of Illinois. This was the case in 2018 when Google added a feature to its Google Arts & Culture app that allows people to take a selfie which is then compared to historical paintings to find one that most closely resembles your mug.
“That definitely wasn’t available in Illinois, and there was kind of a local ‘Huh, that’s interesting. Why can’t we use that?’” Strahilevitz said.
Others try (and fail) to enact similar rules
Following the passage of BIPA, Texas and Washington passed their biometric laws in 2009 and 2017, respectively. But the laws have hardly been tested (in 2022, Texas also sued Facebook over allegations it illegally harvested Texans’ facial recognition data), likely because it’s up to states rather than individual citizens to decide whether to sue.
The basic ideas behind BIPA “seem to align with popular sentiment,” Strahilevitz said, but lawmakers in states like California and Maine have tried and failed to pass their own versions of the rule.
Experts say part of the reason for these failures is that a momentum has built against such biometrics laws, particularly from companies large and small, who can be their targets.
But the EFF’s Tsukayama, whose group worked with California Sen. Bob Wieckowski on the bill he introduced in February that would have created a BIPA-like law in California, believes it could be revived in the future, even if it were stalled in committee is spring.
Finally, Tsukayama stressed, “I can change a password, but I can’t change my face.”
(The CNN Wire & 2022 Cable News Network, Inc., a Time Warner Company. All rights reserved.)