States Seek to Fill Void Left by Congress On Collection of Biometric Data by Tech Companies

Last month, Colorado enacted new biometric privacy rules requiring informed consent before facial or voice recognition technology can be used, while banning outright the sale of the data. Texas passed an AI law in June that likewise bars collection of biometric data without consent, per NPR, while Oregon adopted data privacy rules last year requiring affirmative opt-in by consumers before face, eye, or voice data can be collected.

“Facial recognition is everywhere. And partially, we’re complicit in that,” University of Essex professor Peter Fussey,” told the pubcaster. “We get a convenience dividend by being able to open our phones easily, or get through airports faster, or access our finances. But there’s no downstream control over how our biometric data is used.”

In some cases, the state laws provide a private right of action against tech companies. But most rely on state enforcement to check companies’ behavior, according to NPR. Google and Meta have each paid $1.4 billion to Texas over allegations of datamining users’ facial recognition data without permission, while Clearview was ordered by a federal judge in Illinois to pay $51 million to settle charges of scraping billions of facial images from the web without consent. Google coughed up $9 million in Illinois in June to settle a lawsuit involving its collection of biometric data without consent from students using an online education tool.

The pattern has become a familiar one. From AI, to health data, to facial recognition and automated decision-making systems, Congress has failed to establish national standards for the use of such tools and the data they collect. That’s left states to try to provide a measure of consumer protection, creating a patchwork of different regulatory regimes around the country and forcing companies to navigate an increasingly complex matrix of rules.

Read more: New Zealand Enacts Biometric Privacy Code to Strengthen Data Protections

“What we need are laws that change the behavior of technology companies,” said Adam Schwartz, privacy litigation director at the Electronic Frontier Foundation, who has been involved in lobbying Congress for national biometric data regulations, so far with no luck.

“And the singular reason is that tech companies show up and say, ‘these laws would intrude on our profits,’ and they hire lobbyists to influence the process,” Schwartz said. “But I think people are getting more and more fed up with tech companies ignoring their privacy.”

Some experts also worry that laws currently on the books in states are not up to the task. “I’m not saying it’s better than nothing, but if you’re hanging these legal frameworks on a model of informed consent, it’s clearly ineffective,” said Michael Karanicolas of Dalhousie University in Canada, who studies digital privacy. “Nobody is reading these terms of service. Absolutely nobody can effectively engage with the permission we’re giving these companies in our surveillance economy.”

State laws are also limited in their reach to their own borders, noted Brandon Wise, an attorney attempting to sue “facial search engine” PimEyes on behalf of Illinois residents. PimEyes pulled out of the state over its new privacy laws but Wise found images of Illinois residents remained in its database. He has been unable to serve PimEyes CEO Giorgi Gobronid, however, who  appears to be based in the Georgian capital, Tbilisi, while the company is headquartered in Belize.

“It was incredibly frustrating,” Wise told NPR. “But it felt like we were suing a ghost.”