Biometric Information Privacy Act

Last updated

Biometric Information Privacy Act
Seal of Illinois.svg
Illinois State Legislature
Full nameAn act concerning health.
IntroducedFebruary 14, 2008
House votedMay 30 (113-0)
Senate votedJuly 10, 2008 (42-0)
Signed into lawOctober 3, 2008
Sponsor(s) Terry Link
Governor Rod Blagojevich
BillSB 2400
Website https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=095-0994
Status: Current legislation

The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. [1] Notably, the Act does not apply to government entities. [1] While Texas [2] and Washington [3] are the only other states that implemented similar biometric protections, BIPA is the most stringent. [4] The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. [1] Because of this damages provision, the BIPA has spawned several class action lawsuits. [5]

Contents

Provisions

The BIPA requires companies doing business in Illinois to comply with a number of requirements pertaining to the collection and storage of biometric information. These include a requirement that companies:

A key area of focus is that an entity must use a "reasonable standard of care" [7] in managing biometric information and identifiers.

Standing

BIPA is the only law in the U.S. that provides a private right of action to any individual who is aggrieved by a violation. [1] However, in order to litigate a BIPA action in federal court, the aggrieved person must have federal constitutional standing otherwise known as Article III standing. [4] Generally, Article III standing requires that a plaintiff suffer an injury to a legally protected interest that is causally connected to the defendant's conduct and such injury will likely be addressed by a court's decision. [8]

Legislative history

Senate Bill 2400, which eventually became the Biometric Information Privacy Act, was introduced by State Senator Terry Link on February 14, 2008; it passed both Houses of the Illinois General Assembly on July 10, 2008, and was approved by then-Governor Rod Blagojevich on October 3, 2008. [9] The purpose of the Act was to establish standards of conduct for private entities that collect or possess biometric information. [10] In 2016, Senator Link proposed and later withdrew an amendment to the Act that would have limited the Act's application to biometrics collected in public. [11]

Proposed Federal Regulation

The National Biometric Information Privacy Act

On August 3, 2020, Senator Jeff Merkley introduced the National Biometric Information Privacy Act of 2020 (Senate Bill 4400). [12] While the Act contains provisions similar to BIPA [13] it is more expansive than BIPA. [14] If passed, the Bill would be the first of its kind to regulate biometric information on a national scale. [15]

Notable cases

As biometric technology advances, there have been a number of lawsuits related to data collection methods, as well as various levels of protection over data. Using fingerprints as ways of clocking in and clocking out of work is an example of a technology that fights what is known as "buddy punching" or the practice of using somebody else to clock in for another worker at a job. In Illinois, the Biometric Information Protection Act law allows people to sue employers for mishandling biometric data. According to the Cook County Record, "In Illinois, both the parent company of Mariano's supermarkets and the Intercontinental Hotel Group have been hit with class action lawsuits alleging they improperly collected and stored employee fingerprints and other biometric data." [16]

Federal court cases

In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016)

Monroy v. Shutterfly, Inc., No. 16 C 10984, 2017 WL 4099846 (N.D. Ill. Sept. 15, 2017)

Rivera v. Google, Inc., 238 F. Supp. 3d 1088 (N.D. Ill. 2017)

McDonald v. Symphony Bronzeville Park LLC, N.E.3d (Ill. App. Ct. Sept. 18, 2020). [21]

State court cases

Rosenbach v. Six Flags Entm't Corp., 2019 IL 123186

Additionally, an employee of the NorthShore University HealthSystem has sued the company for allegedly collecting worker fingerprints without their consent, in violation of the Illinois Biometric Information Privacy Act. In Cook County Circuit Court, the employee alleged "that the defendant scanned and digitally collected his fingerprints without consent, for use with a biometric employee punch clock." [25]

Settlements

On December 1, 2016, the first settlement involving the BIPA was approved by a judge in Cook County, Illinois. [26] The class action lawsuit was against L.A. Tan Enterprises, Inc. and settled for $1.5 million, which included between $125 and $150 for each class member who filed a claim. [27]

In February 2021, Judge James Donato approved a $650 million settlement in the federal In re Facebook Biometric Info. Privacy Litig. case, praising the settlement as "a major win for consumers in the hotly contested area of digital privacy." [28] [29] Two class members have appealed the settlement to the United States Court of Appeals for the Ninth Circuit. [30]

Challenges

There was a bill (SB3053) pending before the Illinois legislature to amend the BIPA. The bill proposed to exempt private entities from the BIPAs requirements under a number of circumstances, including (1) if the biometric information is used "exclusively for employment, human resources, fraud prevention, or security purposes", (2) if the company "does not sell, lease, trade or similarly profit" from the biometric information, or (3) if the company protects biometric information at least as securely as it secures other sensitive information. [31] The bill never got out of committee, and expired 2019.

SB3053 was viewed by privacy advocates as an attempt to entirely gut the BIPA. [32] [33] [34] It received significant opposition from many groups that advocate for digital privacy rights, including the Electronic Frontier Foundation. [6]

During Facebook founder Mark Zuckerberg's testimony before Congress on April 10, 2018, in the aftermath of Facebook's scandal with Cambridge Analytica, Senator Dick Durbin questioned Zuckerberg about Facebook's support for SB3053.

There are a number of similar bills that have been introduced in states across the country. [35] These include:

Foreign equivalents

On May 25, 2018, the EU effectuated the General Data Protection Regulation (GDPR), [39] one of the world's strongest data protection regulations to date. [40]

Related Research Articles

<span class="mw-page-title-main">Facial recognition system</span> Technology capable of matching a face from an image against a database of faces

A facial recognition system is a technology potentially capable of matching a human face from a digital image or a video frame against a database of faces. Such a system is typically employed to authenticate users through ID verification services, and works by pinpointing and measuring facial features from a given image.

<span class="mw-page-title-main">Video Privacy Protection Act</span> 1988 American law on tape rental privacy

The Video Privacy Protection Act (VPPA) is a bill that was passed by the United States Congress in 1988 as Pub. L.Tooltip Public Law (United States) 100–618 and signed into law by President Ronald Reagan. It was created to prevent what it refers to as "wrongful disclosure of video tape rental or sale records" or similar audio visual materials, to cover items such as video games and the future DVD format. Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination and it became known as the "Bork bill". It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Telephone call recording laws are legislation enacted in many jurisdictions, such as countries, states, provinces, that regulate the practice of telephone call recording. Call recording or monitoring is permitted or restricted with various levels of privacy protection, law enforcement requirements, anti-fraud measures, or individual party consent.

Spokeo is a people search website that aggregates data from online and offline sources.

Biometrics in schools refers to the use of biometric data such as fingerprints and facial recognition to identify students. This may be for daily transactions in the library or canteen or for monitoring absenteeism and behavior control. In 2002, Privacy International raised concerns that tens of thousands of UK school children were being fingerprinted by schools, often without the knowledge or consent of their parents. The supplier, Micro Librarian Systems, which uses technology similar to that used in prisons and the military, estimated that 350 schools throughout Britain were using such systems. In 2007, it was estimated that 3,500 schools are using such systems. Some schools in Belgium and the US have followed suit. Concerns have been raised by a number of groups, who suggest the harms far outweigh any putative benefits.

The Driver's Privacy Protection Act of 1994, Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.

<span class="mw-page-title-main">Edelson</span> American law firm known for class action lawsuits

Edelson PC is an American plaintiffs' law firm that focuses on public client investigations, class actions, mass tort, and consumer protection laws. Edelson’s cases include class action settlements against Facebook for $650 million (2021), social casino apps for nearly $200 million (2021), and a $925 million verdict against ViSalus (2020.)

<i>Lane v. Facebook, Inc.</i>

Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.

Biometrics refers to the automated recognition of individuals based on their biological and behavioral characteristics, not to be confused with statistical biometrics; which is used to analyse data in the biological sciences. Biometrics for the purposes of identification may involve DNA matching, facial recognition, fingerprints, retina and iris scanning, voice analysis, handwriting, gait, and even body odor.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">James Donato</span> American judge (born 1960)

James Joseph Donato is a United States district judge of the United States District Court for the Northern District of California.

Jumio is an online mobile payments and identity verification company that provides card and ID scanning and validation products for mobile and web transactions, which they sell as "Netverify Trusted Identity as a Service".

Sharenting is a portmanteau of "sharing" and "parenting" describing the practice of parents publicizing a large amount of potentially sensitive content about their children on internet platforms. While the term was coined as recently as 2010, sharenting has become an international phenomenon with widespread presence in the United States, Spain, France, and the United Kingdom. As such, sharenting has also ignited disagreement as a controversial application of social media. Detractors find that it violates child privacy and hurts a parent-child relationship. Proponents frame the practice as a natural expression of parental pride in their children and argue that critics take sharenting-related posts out of context.

DeepFace is a deep learning facial recognition system created by a research group at Facebook. It identifies human faces in digital images. The program employs a nine-layer neural network with over 120 million connection weights and was trained on four million images uploaded by Facebook users. The Facebook Research team has stated that the DeepFace method reaches an accuracy of 97.35% ± 0.25% on Labeled Faces in the Wild (LFW) data set where human beings have 97.53%. This means that DeepFace is sometimes more successful than human beings. As a result of growing societal concerns Meta announced that it plans to shut down Facebook facial recognition system, deleting the face scan data of more than one billion users. This change will represent one of the largest shifts in facial recognition usage in the technology’s history. Facebook planned to delete by December 2021 more than one billion facial recognition templates, which are digital scans of facial features. However, it did not plan to eliminate DeepFace which is the software that powers the facial recognition system. The company has also not ruled out incorporating facial recognition technology into future products, according to Meta spokesperson.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests.

Intrusion on seclusion is one of the four privacy torts created under U.S. common law. Intrusion on seclusion is commonly thought to be the bread-and-butter claim for an "invasion of privacy." Seclusion is defined as the state of being private and away from people.

Clearview AI is an American facial recognition company, providing software to law enforcement and government agencies and other organizations. The company's algorithm matches faces to a database of more than 20 billion images collected from the Internet, including social media applications. Founded by Hoan Ton-That and Richard Schwartz, the company maintained a low profile until late 2019, when its usage by law enforcement was reported. U.S. by police have used the software to apprehend suspected criminals. Clearview's practices have lead to fines by EU nations for violating privacy laws and investigations in the U.S. and other countries as well.

References

  1. 1 2 3 4 "740 ILCS 14/20 Biometric Information Privacy Act". www.ilga.gov. October 3, 2008. Archived from the original on April 3, 2022. Retrieved November 4, 2021.
  2. "BUSINESS AND COMMERCE CODE CHAPTER 503. BIOMETRIC IDENTIFIERS". statutes.capitol.texas.gov. Retrieved November 4, 2021.
  3. "RCW 19.375.020: Enrollment, disclosure, and retention of biometric identifiers". app.leg.wa.gov. Retrieved November 4, 2021.
  4. 1 2 Neace, Gabrielle (2020). "Biometric Privacy: Blending Employment Law with the Growth of Technology". UIC J. Marshall L. Rev. 73: 75 via UIC Law Open Access Repository.
  5. "Biometric Privacy Litigation: The Next Class Action Battleground" . Retrieved May 14, 2018.
  6. 1 2 Schwartz, Adam (April 10, 2018). "New Attack on the Illinois Biometric Privacy Act". Electronic Frontier Foundation. Retrieved May 14, 2018.
  7. "ILGA". Illinois General Assembly.
  8. "Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992)". Cornell Law School Legal Information Institute. Archived from the original on January 19, 2022.
  9. "LRB Digest Indices" (PDF). www.ilga.gov. Retrieved May 23, 2018.
  10. "Westlaw Sign In | Thomson Reuters". 1.next.westlaw.com. Retrieved May 23, 2018.
  11. "Facebook-backed lawmakers are pushing to gut privacy law". The Verge. Retrieved May 23, 2018.
  12. Merkley, Jeff (August 3, 2020). "Text - S.4400 - 116th Congress (2019-2020): National Biometric Information Privacy Act of 2020". www.congress.gov. Retrieved October 14, 2021.
  13. Shifrin, Dmitry (May 28, 2021). "Past, Present and Future: What's Happening with Illinois' and Other Biometric Privacy Laws". The National Law Review, Volume XI, Number 148. Archived from the original on March 23, 2022. Retrieved October 21, 2021.
  14. "The Evolution of Biometric Data Privacy Laws". Bloomberg Law. August 4, 2021. Archived from the original on February 18, 2022. Retrieved October 21, 2021.
  15. Ibadi, Mona (December 7, 2020). "Protecting our Fingerprints and Retinas: A Call for Biometric Data Privacy Legislation". The Wake Forest Journal of Business & Intellectual Property Law. Archived from the original on October 25, 2021. Retrieved October 21, 2021.
  16. Minnis, Glenn (March 2, 2018). "Employers facing surge in class action suits over storage, use of employee fingerprints, other biometrics". Cook County Record. Retrieved October 8, 2018.
  17. "Facebook Users Win Class Cert. In Face Scan Privacy Row" . Law360. April 16, 2018. Retrieved October 29, 2019.
  18. "Monroy v. Shutterfly, Inc., No. 1:2016cv10984 - Document 39 (N.D. Ill. 2017)". Justia Law. Retrieved February 11, 2019.
  19. Bilyk, Jonathan. "Judge won't short-circuit class action accusing Google Photos of breaking IL biometric privacy law" . Retrieved May 23, 2018.
  20. "Rivera et al v. Google LLC., No. 1:2016cv02714 - Document 207 (N.D. Ill. 2018)". Justia Law. Retrieved February 11, 2019.
  21. 1 2 "McDonald v. Symphony Bronzeville Park LLC, N.E.3d (Ill. App. Ct. Sept. 18, 2020)" (PDF). Justia Law. Archived (PDF) from the original on October 21, 2021. Retrieved October 14, 2021.
  22. Callow, Clingen; Molho, McLean LLC-Ross I.; Eikram, Iman (May 21, 2021). "Perhaps Some Relief Under Illinois' Biometric Information Privacy Act". Lexology. Retrieved October 21, 2021.
  23. "Recent Illinois Appellate Court Ruling Could End The Recent Flood Of Class Action Lawsuits Against Employers Under Illinois' Biometric Information Privacy Act". Littler Mendelson P.C. January 9, 2018. Retrieved May 23, 2018.
  24. Schwartz, Jennifer Lynch and Adam (January 25, 2019). "Victory! Illinois Supreme Court Protects Biometric Privacy". Electronic Frontier Foundation. Retrieved February 11, 2019.
  25. Torres, Louie. "NorthShore University HealthSystem allegedly collected worker fingerprints without consent" . Retrieved October 8, 2018.
  26. "First Settlement Reached Under Illinois Biometric Law" . Retrieved May 14, 2018.
  27. "Winston & Strawn". Winston & Strawn. Retrieved May 23, 2018.
  28. "In re Facebook Biometric Info. Privacy Litig".
  29. "Judge Approves Facebook's $650M Privacy Settlement as 'Major Win for Consumers'". Law.com. February 26, 2021.
  30. "Facebook Biometric Information Privacy Litigation". Archived from the original on February 25, 2022. Retrieved February 25, 2022.
  31. "Illinois SB3053 | 2017-2018 | 100th General Assembly". LegiScan. Archived from the original on March 8, 2020. Retrieved May 14, 2018.
  32. "Facebook-backed lawmakers are pushing to gut privacy law". The Verge. Retrieved May 14, 2018.
  33. Marotti, Ally. "Proposed changes to Illinois' biometric law concern privacy advocates". chicagotribune.com. Retrieved May 14, 2018.
  34. "Biometric Information Privacy". Technology Safety. Retrieved May 14, 2018.
  35. "Biometric Information Protection: The Stage is Set for Expansion of Claims". www.lexisnexis.com. Retrieved May 14, 2018.
  36. "Establishing a committee to study the use and regulation of biometric information". Act of May 17, 2018. New Hampshire State Legislature.
  37. "Bill Search and Legislative Information | New York State Assembly". nyassembly.gov. Retrieved April 12, 2021.
  38. "NY State Senate Bill S1933". NY State Senate. January 16, 2021. Retrieved April 12, 2021.
  39. "General Data Protection Regulation". EUR-Lex. April 27, 2016. Archived from the original on April 1, 2022.
  40. Fisher, Sandra L.; Bondarouk, Tanya (2020). "Encyclopedia of Electronic HRM" (PDF). University of Twente Research Information System (RIS). Archived (PDF) from the original on October 21, 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.