An Illinois law enacted in 2008 appears now to be center stage in the national privacy and technology spotlight. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq., has been called “one of the best new privacy laws in the country,” by Marc Rotenberg, President and Executive Director of the Electronic Information Privacy Center (EPIC).
The Act
Essentially, the Act regulates biometric identifiers and biometric information in Illinois. Any private entity that has any involvement with such information must understand and comply with the Act’s terms. Indeed, the Act applies to any entity that collects, captures, purchases, receives through trade, or otherwise obtains a person’s or a customer’s biometric identifier or biometric information. In fact, before a private entity can engage in any of the foregoing conduct it must provide notice of the collection, the purpose for the collection, the length of time the information will be held, and, after doing so, obtain a written release. In storing such information, it must comply with the standard of care applicable to its industry and protect such information in the same manner as other confidential and sensitive information.
The Act then restricts what a private entity may do with the biometric identifiers and biometric information. It may not “sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.” 740 ILCS § 14/15. Period. There is no opt-in or opt-out of this restriction. Id. Further, a private entity may not “disclose, redisclose, or otherwise disseminate” biometric identifiers and biometric information without consent or one of a few other limited exceptions.
Of course, an entity possessing any biometric identifiers and biometric information must develop applicable policies.
The Issue
Although enacted in 2008, the “new” privacy law has only recently found its way into the national spotlight. As social media entities have begun to implement facial recognition technology into their services (Google Photos, Snapchat filters, and Facebook photo-tagging features) they invoke the Act’s protections. Indeed, the Act’s definition of “biometric identifier” includes “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Arguably, the technology used by social media entities in their facial recognition constitutes the “scan of … face geometry” under the Act.
(As an aside, a comparison of the file structure within two digital images arguably might not constitute a “scan of … face geometry.” So, the algorithms used in software that compare digital images for potential copyright infringement might not be invoked by the Act. Consequently, the mere fact that a company possesses technology to recognize an image of an individual as a specific person does not in turn mean that it may invoke the Act. Indeed, “[b]iometrics, however, are biologically unique to the individual.” As such, it would seem that technology using biometric identifiers could not make mistakes. If the technology used for facial recognition among social media entities makes mistakes, it begs the question whether the technology truly employs a “scan of face geometry” or other comparison of digital data. That being said, a similar argument did not persuade the Northern District of California at the motion to dismiss stage in IN RE FACEBOOK BIOMETRIC INFORMATION PRIVACY LITIGATION, 3:15-cv-03747-JD.)
Given the perceived violation of the Act by social media entities employing facial recognition, enterprising law firms have perceived and acted upon economic opportunities. Although the statutory damages under the Act do not exceed $5,000.00 (reckless or intentional violation of the Act), the Act provides for the possible recovery of attorney’s fees and costs (the Act provides that a successful litigant “may” – not “shall” recover attorney’s fees and costs).
The Most Recent Controversy
On May 26, 2016, Illinois State Senator Terry Link, who originally introduced the Act, introduced an amendment to the Act that would limit biometric information obtained under the Act to that information obtained “in-person.” Senator Link’s office has since indicated the amendment will not be pursued further.
The Coverage
On Saturday, May 28, 2016, the New York Times covered the Act’s recent developments on the front page of its Business Day section in an article by Conor Dougherty (@conordougherty). The article provides a very good summary of the Act’s potential impact. More importantly, it highlights that privacy advocates have begun to implement protective legislation on a state level. The day before, Russel Brandom (@russelbrandom) of The Verge reported on the skepticism relating to Senator Link’s amendment – particularly among the attorneys who filed a class action suit against Facebook for alleged violations of the Act.
The Future
Although Conor Dougherty suggests that Facebook may decide to settle in response to a court’s recent ruling denying its motion to dismiss, I am not so sure. There should be a determination – whether by legislature or the courts – on whether the analysis of digital images constitutes the “biometric identifiers and biometric information” encompassed with the Act – or not. As the Northern District of California stated:
As the facts develop, it may be that “scan” and “photograph” with respect to Facebook’s practices take on technological dimensions that might affect the BIPA claims. Other fact issues may also inform the application of BIPA. But those are questions for another day.
Under a motion to dismiss standard, the Court must take as true the allegations in the Complaint in view them in the light most favorable to the plaintiffs. Consequently, the court’s determination of such does not mean that, as a factual matter, the Act encompasses Facebook’s technology. Rather, the statute on its face does not expressly exclude it.
The foregoing being said, it makes sense for any social media or other private entity venturing into new technologies to adopt policies addressing these issues a priori. A well-developed and informing policy will address the issues of disclosure. Obtaining informed and meaningful consent will enable compliant use. And, the companies will be kept in check in their developing use of our personal information.
The saga with the Illinois Act also demonstrates the point that companies must remain abreast – and have their attorneys keep them abreast – of all state developments that might affect business operations. Albeit a daunting task, informed counsel already seek to remain abreast of international developments (EU, Safe Harbor, etc.) that may affect client business operations.
Mudd Law practices Internet, privacy, and technology law.