Is the Tide Turning Against Facial Recognition? 

Privacy Plus+

Privacy, Technology and Perspective

Is the Tide Turning Against Facial Recognition?  This week, Facebook reported in its quarterly filings that it has agreed to pay $550 million to settle a class action lawsuit in Illinois, alleging that its photo-labeling service (“Tag Suggestions”) violates the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14.  The suit claims that Tag Suggestions collects facial-recognition data from millions of users in Illinois without consent or proper disclosure about how long Facebook would keep the data. 

You can read the New York Times article about this settlement by clicking the following link:

https://www.nytimes.com/search?query=Privacy+Suit+has+Big+Sting

We think the key to this settlement is the private right of action that is included in the BIPA – and which provides for recoveries of up to $5,000 per violation. 

You can read the act by clicking the following link:

http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

Summarized, the BIPA is an informed consent statute that achieves its goal of protecting individuals’ privacy, anonymity, autonomy, and security by making it unlawful for a company to, among other things, “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifiers . . . , unless it first:

(1) informs the subject . . . in writing that a biometric identifier . . . is being collected or stored;

(2) informs the subject . . . in writing of the specific purpose and length of term for which a biometric identifier . . . is being collected, stored, and used; and

(3) receives a written release executed by the subject of the biometric identifier.”

740 ILCS 14/15(b). Under the BIPA, biometric identifiers are defined to include retina and iris scans, voiceprints, fingerprints, and—most importantly here—scans of facial geometry. See 740 ILCS14/10.

The BIPA also establishes standards for how companies in possession of biometric identifiers must handle them, including a requirement that companies develop and comply with a written policy—made available to the public—establishing a retention schedule and guidelines for permanently destroying biometric identifiers. See 740 ILCS 14/15(a), (c)–(d).

Recall that almost a year ago to this day, the Illinois Supreme Court held that a violation of its state biometric law can constitute a harm in and of itself, without requiring more.  Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019).

You can read the Rosenbach opinion by clicking the following link:

https://courts.illinois.gov/Opinions/SupremeCourt/2019/123186.pdf

We have two reactions, leading to one conclusion. 

First, notice the power of a single large state to effect significant change.  Illinois is too big to “segregate” or “work around,” so every company that does facial-recognition business on a national level will have to reckon with BIPA one way or another. 

Second, we wonder if this will set off a sort of “race” or “competition” among states regarding broader issues of privacy policy.  Two states have already less strictly regulated the use of biometric identifiers—Texas (Tex. Bus. & Comm. Code § 503) and Washington (RCW § 19.375)—while South Carolina recently introduced legislation reflecting its own version of BIPA, which you can review by clicking on the following link:

https://www.scstatehouse.gov/sess123_2019-2020/bills/4812.htm

Every state now also has some sort of breach-notification statute.  While they are generally consistent in intent and practice to varying degrees and with sundry peculiarities here and there, we have previously posted about how New York’s SHIELD Act (S.5575B/A.5635), which becomes effectively on March 21, 2020, has been reborn with data security requirements.  You can read our post here:

https://www.hoschmorris.com/privacy-plus-news/ny-shield-act

Breach notification may be relatively “easy” to legislate (maybe even appropriate for study by, say, the Commission on Uniform State Laws). But particular data security requirements and stronger police/security arguments for use of facial-recognition technology leave more “room” for impassioned, two-sided debate than may exist in keeping consumers in the dark about breaches. Hence, smaller, more homogenous states may find it easier to reach agreement quickly than may their larger, more diverse neighbors, and the result may be a spreading patchwork which is increasingly hard to manage.

We think this point to a clear conclusion: this area needs national legislation.

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.