Illinois law on biometric data could be a template for federal legislation
Neither the federal government nor most states in the U.S. assertively address how businesses can use facial-recognition images and other biometric data they gather via social network sites, cameras in public places or by tracking internet users’ activities. Illinois, luckily, has what is widely considered the most stringent and effective tech-privacy law in the nation -- one that has forced Facebook and other behemoth companies to make changes to their practices that have had a positive impact even outside Illinois’ borders. On this issue, federal lawmakers could learn something from the Land of Lincoln.
When the Illinois Biometric Information Privacy Act was passed in 2008, the technology it sought to rein in was still nascent or in some cases theoretical. “Biometric” means, essentially, data gathered from a person’s physical characteristics (fingerprints, facial imagery, retina scans) or behavioral patterns (shopping habits, social media interactions).
Debate about its use in high-tech applications has often centered on how government and law enforcement might use and potentially abuse it. That remains a valid debate. But the Illinois law specifically focuses on private companies, prohibiting them from taking something from their customers without permission: their unique physical and behavioral characteristics.
Such technology can be useful when deployed in limited ways with the consumer’s permission -- the facial-recognition program that can open your cell phone for you, for example.
But when such data is scooped up en masse, often without consumers’ knowledge, and sold between companies, it ceases to be a convenience and becomes, at best, an annoyance -- as with micro-targeted advertising barrages based on consumers’ internet browsing habits. More sinister issues include the potential for loosely deployed biometric data to impact credit, employment or housing decisions, by giving companies far more data about applicants than they would otherwise be entitled to.
The Illinois law requires that entities must have written consent from a person before collecting or storing that person’s biometric data, and gives consumers the power to sue for damages if companies violate that law.
The law ushered in last year’s landmark $650 million settlement from Facebook for about 1.5 million Illinoisans who sued over the company’s facial-recognition feature, which stored that data from users to identify them in photos throughout the platform. Facebook announced in November that it’s shutting down the feature after weighing “the positive use cases for facial recognition against growing societal concerns.” The shut-down entailed deleting the facial-recognition data of more than a billion users.
It’s just one example of how Illinois’ law is helping protect the privacy of even citizens outside its borders, in the absence of a national standard. Such a standard, written into federal law, would be a preferable approach. If and when Congress gets its act together enough to address the issue, Illinois has provided a blueprint.