Biometrics are increasingly being relied upon to secure payments and commerce while making transactions more seamless for consumers, a trend that seems all but certain to increase in the coming months and years. But the laws and regulations governing biometrics have yet to catch up to the reality of their use, and that’s perhaps most apparent when it comes to two recent, high-profile cases in Illinois.
The Illinois Biometric Information Privacy Act, commonly known as BIPA, not only stands as the strictest biometric privacy law in the U.S., but also serves as the model for other laws that have been crafted or are being considered by other states (much as Europe’s GDPR has sparked other data privacy efforts around the world). There exists no similar federal law in the U.S.
The Illinois law requires that companies collecting biometric information like iris and facial scans or fingerprint data get prior consent from individuals. Companies also have to let people know how they’re going to use the data and the amount of time the records will stay in their possession.
Since the law’s enactment in 2008, an estimated 200 class-action and other lawsuits have been filed that claim violations of BIPA. Suits have been filed against Six Flags and Google for those companies’ alleged violations of the state law. Recent rulings in those cases have brought a sense of unclarity to the application of biometric law, which means companies using biometrics find themselves uncertain of their best moves and practices. Many companies that use biometrics across a broad swath of industries in Illinois have been affected, including Snapchat, Google, Facebook and Shutterfly.
The Supreme Court in Illinois ruled on Jan. 25 that a teen can sue the Six Flags amusement park over violation of the Illinois biometric privacy law in a case that could have repercussions for tech giants like Google and Facebook. The alleged BIPA violation occurred when the amusement park scanned the teen’s fingerprint as part of the season pass process.
Meanwhile, also in January, a federal judge dismissed a BIPA lawsuit against Google because, the judge said, there was a lack of “concrete injuries” suffered by the plaintiffs. That suit, filed in March 2016, accused Google of breaking Illinois state law by collecting and storing biometric data from photographs via facial recognition software through its Google Photos service.
In short, the U.S. federal court found that, in the Google case, since there was no harm, there was no standing for the lawsuit. But in the Six Flags case, the mere (alleged) violation of BIPA was enough to constitute standing.
The seemingly contradictory outcomes of those two recent cases are understandably leading to some confusion and questions when it comes to ongoing and future deployments of biometric authentication and related technology. That holds especially true as attitudes among consumers, regulators and lawmakers seem to be hardening when it comes to digital privacy issues in general.
“It remains to be seen how future courts will treat Google, Six Flags and other decisions under BIPA,” read a recent analysis of the cases from Morrison Foerster. “Regardless of whether federal courts manage to separate the issue of standing from substantive issues under BIPA itself, the clear position taken in Six Flags means no court, federal or state, will be able to ignore it.”
Future Biometric Cases
In other words, the analysis said, “In future cases, concerns about security and/or personhood are likely to become more pronounced, which may also pave the way for more and more courts to follow the ruling in Six Flags. The key takeaway is this: Potential exposure to liability under BIPA and other biometric privacy laws is real, and companies and other organizations that collect biometric data need to ensure that they comply with applicable law.”
Illinois is not the only place where precedent and practices are being established for biometric law, and not the only state where companies in the business of biometric authentication, payments and commerce should focus their attention. Two U.S. senators – Missouri Republican Roy Blunt and Hawaiian Democrat Brian Schatz – have introduced legislation that would prevent businesses from collecting and using facial recognition data without the consent of consumers. And the city of San Francisco has mulled a ban on facial recognition that would apply to city departments, not consumers.
As biometric uses for payments and commerce advance, consumers can bet on more such pushes as the case law gets worked out.