We have written before about the issues presented by the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”). BIPA is still the only state biometric privacy statute with a private right of action. It has garnered national attention and become the epicenter of biometrics-based litigation, with dozens of cases pending alleging violations of the statute (defendants include employers of all types, social media platforms, service providers, and many other businesses that interact with Illinois residents). Just as the privacy concerns surrounding the collection and storage of biometric data have come into sharper focus with more and more companies employing such technologies for digital authentication, security and other uses, the litigation surrounding BIPA has garnered much controversy and the legislature has previously been called upon to amend the statute to limit its reach. The Illinois legislature is now considering a bill (SB3053) that would fundamentally alter the privacy protections under BIPA
BIPA, generally speaking, prohibits an entity from collecting, capturing, purchasing, or otherwise obtaining a person’s “biometric identifier” or “biometric information,” unless it satisfies certain notice and consent and data retention requirements. The statute contains defined terms and limitations, and parties in ongoing suits are currently litigating a number of issues, including what “biometric identifiers” and “biometric information” mean under the statute and whether the collection of facial templates from uploaded photographs using sophisticated facial recognition technology fits within the ambit of the statute.
Privacy advocates have hailed BIPA’s strong biometric privacy protections, while some in the tech and business community have decried that BIPA is deterring innovations in mobile services and spurring a wave of copycat litigation against companies that collect biometric data to authenticate customers or employees. Presumably to alleviate industry concerns and stem the amount of BIPA-related litigation against employers, the Illinois State Senate is now debating SB3053 to amend BIPA and carve out exemptions to the scope of the law for entities that: collect biometric data exclusively for employment, human resources, fraud prevention or security purposes”; collect biometric data but do not sell, lease or trade from such information; or collect, store, transmit or protect biometric data in a manner that is equivalent to the manner in which the entity handles confidential or sensitive information.
A proposed Senate Amendment to SB3053 would go further and significantly narrow BIPA’s reach. For example, one change would expressly exclude digital photographs and data generated from digital photographs from the definition of “biometric identifier,” an issue that has been the focus of multiple disputes involving the photo tagging functions of social media services that employ sophisticated facial recognition technology. Other changes would limit the definitions of “biometric identifier” and “biometric information” further by requiring that such data be “linked by a private entity to the subject’s confidential and sensitive information,” exempt entities that do not retain biometric data more than 24 hours, and exempt cloud service providers from liability for “[taking] any action at the direction of or on behalf of a user of the cloud services.” The Amendment also adds language that would amend the private right of action to civil suits for persons aggrieved by a violation of the act “that occurs in this State,” an attempt to allay concerns that BIPA is impermissibly being applied in an extraterritorial manner.
It is not hard to imagine that defendants currently embroiled in BIPA litigation – technology companies and various businesses and employers – are cheering the proposed changes to the statute and view them as timely efforts to reign in privacy lawsuits over mere procedural harms; on the other hand, digital privacy advocates (such as the Electronic Frontier Foundation) have opposed the bill and its amendments and called such efforts a serious attack on personal privacy. Efforts to limit the types of biometric data covered by the statute have failed in the past (and perhaps the current heightened awareness of digital privacy in the news makes it not the ideal time to pass legislation downgrading privacy protections).
Beyond Illinois, it should also be noted that a number of states are considering laws modeled on BIPA, complete with a private right of action. Thus, if the Illinois law is amended, the question remains as to what might happen in other states. As it stands, the law surrounding biometric privacy is a patchwork of state laws (e.g., Illinois, Texas and Washington) – including a number of states that expressly list biometric data in the definition of “personal information” under data breach notification laws – but no federal law expressly governing the collection and use of biometric data of adults (note: under the regulations promulgated under the Children’s Online Privacy Protection Act (COPPA), “personal information” includes individually identifiable information that is collected online, and expressly includes “a photograph, video or audio file that contains a child’s image or voice”).
Biometric privacy remains an important issue, as facial recognition and other biometric technologies are increasingly in use. As such, it is desirable to find a balance between privacy and security while at the same time allowing companies to use the advances in biometrics in productive ways. Some argue that the Illinois law, in its present form, fails to strike that balance. It appears that some of the Illinois legislators have heard that argument and are trying to correct any imbalance that the law might present. Given what’s at stake, we will closely follow these legislative developments.