Biometrics promise to take a larger role in authentication security in 2019, helping to stop online fraud and bringing speed, efficiency and security to transactions ranging from QSR mobile-order ahead to airport car rentals.
But at the same time, the laws governing biometrics are a work in progress, and as more consumers become more skeptical about the safety and use of their identities and data online, you can bet on more cases testing the boundaries of existing regulations.
Many of those efforts are likely to center on Illinois, which has what is commonly regarded as the strictest law in the U.S. for use of biometric data. The Illinois Biometric Information Privacy Act, a state law enacted in 2008, gives users a “property interest” in the algorithms that establish their digital identities. The Act’s penalties including $5,000 for each intentional violation and $1,000 for every negligent violation.
One of the highest-profile recent cases involving the Act resulted in a victory for corporate storage and use of biometric data — though it remains too early to tell what kind of precedent that ruling will make over the long term. The suit, filed in 2016, accused Google of breaking the Illinois law by collecting and storing biometric data from photographs via facial recognition software through its Google Photos service. Plaintiffs were seeking more than $5 million for the “hundreds of thousands” of Illinois residents affected.
For its part, Google said the plaintiffs should not receive any money or injunctive relief because they had suffered no harm. Google was granted a motion for summary judgement by U.S. District Judge Edmond Chang, who ruled that there was a lack of “subject matter jurisdiction because plaintiffs have not suffered concrete injuries.” Google had previous announced, however, that it will not sell its facial recognition products until it can make sure the technology will not be abused.
Six Flags Case
Meanwhile, another suit filed against Six Flags for allegedly violating the state law has gone forward, as the state’s Supreme Court in late 2018 heard oral arguments about the case.
According to Law360, the case is focused on the mother of a teenage boy who filed a lawsuit against Six Flags after her son’s thumbprint was scanned for season pass entry. The suit alleges that collecting the data violated the law, but the company argued there was no actual harm done by the collection of the print. “At least three of the seven justices hearing the case were skeptical of the arguments made by attorneys representing Six Flags,” one account reported.
As well, there remains a pending lawsuit against Facebook for how its use of the social network’s photo scanning technology allegedly violates the Illinois law. Like Google, Facebook has argued that the plaintiffs cannot show damages — an argument countered by the likes of the ACLU and other organizations that have signed onto friends-of-the-court briefs, which say such a view would render the state law powerless.
About 100 class-action suits have been filed about alleged violations of the Illinois biometric authentication law, according to Law360. Businesses in Illinois have been pushing back against the law, and even one of its main champions in the statehouse recently came out in favor of weakening the provision that applies to digital photographs, according to local news reports.
Washington and Texas also have laws focused on biometric data and privacy, but those laws are considered far weaker than the Biometric Information Privacy Act, or BIPA.
“Unlike Illinois, however, Texas and Washington bypassed the private right of action, opting to leave the litigation trigger in the hands of their respective state attorney generals,” which has resulted in fewer biometric privacy cases in those states, according to a blog post from Bradley Law Firm. “States like Alaska, Connecticut, Massachusetts and New Hampshire have chosen … to strengthen the protection of biometric data through the implementation of comprehensive biometric legislation similar in scope to BIPA.”
Despite the recent high-profile cases in Illinois involving Google and Facebook, most cases brought under BIPA in Illinois involved employee-employer relations — specifically, as that Bradley blog notes, “employees alleging that the implementation of fingerprint scanning to streamline employer timekeeping systems violated BIPA’s notice, consent and disclosure requirements.” In fact, the Wendy’s fast food chain was recently hit with such a suit in Illinois. What that means for future use of biometrics for consumer authentication in payments and commerce is unclear, but it’s a good idea to keep an eye on such cases to see how the law develops.
And it’s a solid bet that law will keep developing, and will do so significantly in the coming year or years, with Illinois serving a model. “The combination of an uptick in class-action lawsuits regarding biometric data and an increased public focus on data security and privacy likely make it a question of ‘when,’ not ‘if,’ similar laws are passed,” reads another analysis, this one from Bernstein Shur Sawyer & Nelson. In a way, that is a good sign for biometrics — you know a technology is getting into the mainstream, and moving from idea to reality, when it is the subject of new laws and lawsuits.