A Simple Way to Measure Whether Your Privacy Law Is Worth a Damn
Though most Americans have likely never heard of it, Illinois’ 12-year-old Biometric Information Privacy Act (BIPA) has proven itself to be the country’s strongest legal barrier against the unfettered collection of fingerprint, iris, voice, and facial recognition data.
Other states have taken notice. California’s Consumer Privacy Act (CCPA) included biometric data in its broad set of privacy protections when it went into effect in 2020, and just last week Virginia passed its own data privacy act, which experts say is largely modeled on California’s. New York and Maryland also introduced new bills in 2021 specifically targeting biometrics data, each of which closely echoes Illinois’ law.
BIPA’s strongest accountability measure allows citizens to pursue lawsuits against companies illegally collecting biometric data. The provision, called a “private right of action,” is the mechanism used to take Google, Facebook, and Apple to court over their facial recognition data collection practices. It’s also why Facebook settled a precedent-setting $650 million lawsuit with Illinois residents.
As such, all biometric privacy legislation can be judged by this yardstick: Does the law actually empower citizens to fight back against the unlawful use of their protected data, as BIPA does?
So far, few have measured up. California’s CCPA includes a watered-down version of this provision, which says consumers can take action, but only if their data has been part of a security breach. For all other instances, the power rests in the hands of the California attorney general to bring a lawsuit. Virginia’s new privacy law lacks the provision altogether, as do biometric privacy laws in Washington and Texas.
New York and Maryland’s new bills, meanwhile, do include this language, meaning consumers in the states would be able to directly hold companies accountable if the laws are passed.
All biometric privacy legislation can be judged by this yardstick: Does the law actually empower citizens to fight back against unlawful use of their protected data, as BIPA does?
California’s data breach provision is still better than nothing. Legal experts who have analyzed the CCPA’s limited version of private right of action predict an uptick in lawsuits surrounding companies’ illegal use of consumer data.
“The CCPA… poses a significant risk of class action litigation,” lawyers from the firm Blank Rome recently wrote in Legaltech News. “Taken together, all companies handling biometric data and falling under the scope of the CCPA must take immediate action to ensure strict compliance with California’s game-changing privacy law to mitigate the substantial risk of exposure.”
Subsequent laws that don’t allow direct action aren’t entirely toothless, but are hampered by the fact that they rely on state officials to prioritize enforcement, which is not a given.
These laws are a struggle to get passed at all — even those that lack strong accountability language. In 2019, representatives in Florida and Arizona introduced similar biometric privacy bills, but both failed. This is New York’s third attempt at passing biometric privacy legislation — the first two failed as well — though the landscape is a little different after 2020’s statewide suspension of facial recognition in schools.
Illinois’ own BIPA is also being challenged, however, in a case that the controversial surveillance company Clearview AI hopes to take to the Supreme Court.
According to Clearview’s lawyers, BIPA is in “need of clarification from the Supreme Court, as lower courts have struggled to identify consistent rules or standards.” And as Clearview AI has repeatedly been shown to be one of the most aggressive and invasive collectors of facial recognition data — that’s even more evidence BIPA is working exactly as intended.
Read more about that case here: