On 25th January, the Illinois Supreme Court passed a unanimous ruling which states that, when companies collect biometric data like fingerprints or face prints without informed opt-in consent, they can be sued. This can be done even without proof of concrete injuries- like identity fraud or physical harm.
The law known as the Biometric Information Privacy Act, requires that companies explicitly inform a person about what biometric data they will collect, and also how the data will be stored and utilized by the company. The data includes information like fingerprints, facial scans, iris scans, or other biological information. Next, the company has to obtain prior consent from that person before capturing these details. A point to be noted here is that, while other states only allow attorneys general to sue companies, the Illinois BIPA law gives individuals the right to sue companies. Afterwhich, they can collect damages of $1,000 (the amount increases to $5,000, if the court finds a company deliberately or recklessly flouted the law).
According to FastCompany, the decision was taken in a landmark lawsuit against the theme park Six Flags, who recorded the thumbprint of a 14-year-old boy without notice or written consent, while issuing him a season pass in 2014. Six Flags did not notify the boy or his mother, Stacy Rosenbach, about obtaining his fingerprints. She sued Six Flags for violation of the BIPA law and in its defense, Six Flags made the case that because Rosenbach couldn’t demonstrate that taking his fingerprints had done any “harm” to the boy (example: no data breach or security problem), the company wasn’t liable for damages.
According to the Electronic Frontier foundation, “EFF, along with ACLU, CDT, the Chicago Alliance Against Sexual Exploitation, PIRG, and Lucy Parsons Labs, filed an amicus curiae brief urging the Illinois Supreme Court to adopt a robust interpretation of BIPA. The Illinois Supreme Court agreed with us and soundly rejected the defendants’ argument that BIPA required a person to show an injury beyond loss of statutory privacy rights”. On Friday the state’s Supreme Court ruled that Six Flags had, indeed, violated the law and would need to pay the boy damages, in spite of no “harm” shown.
The ruling comes as an example in Illinois that if a company violates a citizen’s privacy without any prior notice or consent and the citizen sues, the plaintiff doesn’t need to demonstrate an additional harm for the law to protect the user.
The Six Flags ruling builds a stronger case for other ongoing lawsuits, including one against Facebook in which consumers claimed that Facebook violated a state privacy law by using facial recognition technology on their uploaded photographs without their consent. Facebook is fighting back by saying consumers should have to show that the lawbreaking practice caused ‘additional harm’ beyond a mere violation. Google also faced a similar lawsuit on Thursday, where two Illinois residents allege that the company “failed to obtain consent from anyone when it introduced its facial recognition technology.”
Just last month, Google won the dismissal of a lawsuit it has been facing since 2016 for allegedly scanning and saving the biometric data of a woman, captured unwillingly in 11 photos taken on Android by a Google Photos user. As per Bloomberg, the lawsuit was dismissed by a judge in Chicago, who found that the plaintiff didn’t suffer “concrete injuries”.
Senior staff counsel Rebecca Glenberg of the ACLU of Illinois, said in a statement that “Your biometric information belongs to you and should not be left to corporate interests who want to collect detailed information about you for advertising and other commercial purposes.”
According to Illinois.org, while facial recognition technology and biometric does have the potential to simplify life of citizens, the BIPA may affect technological innovation overall. The litigation may have the potential to drive up costs- on both ends of the spectrum.
Businesses like Apple, who have demonstrated the importance of biometric technology, will have to take extra precautions to comply with the BIPA. In case the law is violated, there is the expense of class-action lawyers and litigants. They may simply decide against hiring people in Illinois because of the expense and hassle.
It would be interesting to see companies coming up with a kind of framework that would safeguard them against violation of the BIPA as well as put citizens at rest about the way their data is handled/used.
You can head over to Electronic Frontier Foundation’s official post for more insights on this news.
ACLU files lawsuit against 11 federal criminal and immigration enforcement agencies for disclosure of information on government hacking
The district of Columbia files a lawsuit against Facebook for the Cambridge Analytica scandal
IBM faces age discrimination lawsuit after laying off thousands of older workers, Bloomberg reports