Amendment to exclude Facebook facial-recognition technology from Illinois’ privacy law put on hold

A proposed amendment to the Illinois Biometric Information Privacy Act that would exclude facial-recognition technology used by Facebook from the privacy protections of the act has been postponed after privacy advocates and the Illinois attorney general raised concerns.

A lawsuit against Facebook under an Illinois privacy law has raised questions about the dangers inherent in the increasing use of technology that identifies and stores data about people’s facial and physical likenesses.

A federal district court in California ruled May 5 that the class-action case against Facebook could proceed. A few weeks later, an Illinois politician proposed a change to Illinois’ privacy law that could exclude the facial-recognition technology at the heart of the case against Facebook from the provisions of the privacy law.

Less than one week before the end of Illinois’ legislative session, state Sen. Terry Link, D-Vernon Hills, proposed an amendment to Illinois’ Biometric Information Privacy Act, or BIPA, to specifically exempt physical and digital photographs and biometric information derived from photographs from the privacy protections of the act. This proposal could affect the status of technology used not only by Facebook, but also by Shutterfly, Google and Snapchat, who too face lawsuits brought under the BIPA. The amendment could effectively exclude as violations of the law the facial-recognition technology programs on which the lawsuits are based. After privacy advocates and the Illinois attorney general raised concerns about the proposed amendment, the amendment was put on hold May 31.

The Illinois General Assembly passed the BIPA in 2008 to regulate the collection, use and storage of biometric data by private entities. Currently the BIPA includes as “biometric information” data based on a “biometric identifier” such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Link’s proposed amendment, however, would specifically exclude “physical or digital photographs” from the definition of biometric identifier, and would add a definition of “scan” that includes only “data resulting from an in-person process whereby a part of the body is traversed by a detector or an electronic beam.”

Illinois’ BIPA makes it illegal for a private entity to obtain a person’s biometric identifier or information, unless the entity first informs the person in writing and discloses the specific purpose and length of time for which the data is being collected, stored or used. The entity must then obtain written consent from the person to use or store the biometric information.

The act further prohibits trading or making a profit from a person’s biometric information, and requires the party in possession of the data to protect the security of the information. Under the BIPA, Illinoisans have the right to sue private parties and to collect money damages for violations of the act.

Link’s proposed amendment could remove from the purview of the BIPA claims like those in the pending class action lawsuit against Facebook Inc. over the tech giant’s photo “tag suggestions.” Through this feature, when a user posts a photo, Facebook makes suggestions as to who should be tagged using facial-recognition software that measures a person’s unique facial geometry (e.g., the distance between a person’s eyes, nose and ears).

The proposed amendment could similarly affect claims like those brought in May through a class action lawsuit against Snapchat Inc. in which plaintiffs have alleged Snapchat violated the BIPA through the use of facial-recognition technology in its photo-alteration “Lenses” function.

Privacy advocates and the Illinois attorney general both opposed Link’s amendment, according to Ars Technica, while a spokesman for Facebook told the New York Times the company supported the measure. The Center for Democracy & Technology noted the law had been proposed less than a week before the end of the legislative session and said it would compromise protections for the “most prevalent form of biometric identification” now in use. Marc Rotenberg, president of the Electronic Privacy Information Center, in a statement reported in the New York Times, said Facebook’s alleged lobbying against Illinois’ privacy law is “bad news for consumers.”

The Illinois lawmakers who drafted the BIPA were concerned that the potential misuse of biometric information could leave a person with “no recourse, … at heightened risk for identity theft, and … likely to withdraw from biometric-facilitated transactions.” And lawmakers warned, “The full ramifications of biometric technology are not fully known.”

People concerned about privacy should support smart measures to safeguard biometric data. However, a statute that enables the filing of potentially billions of dollars in claims against tech companies might have other effects, such as the suppression of helpful technological advances and job creation, that should give Illinoisans pause.