Biometric information — data that pertains to an individual’s biological characteristics, like facial recognition patterns, DNA, fingerprints, and iris scans — is some of the most sensitive data about each of us, in part because it is generally immutable. You can get a new email address, but getting a new genome is a lot harder. It’s for these reasons that we’ve consistently argued for limited collection of biometric information, and strong protections for its use and retention. Illinois, which has one of the country’s strongest state biometric privacy laws on the books, may soon significantly weaken its protections. We hope the Illinois Legislature doesn’t take such a misguided step.
The Illinois law, as it currently stands, applies to faceprints, fingerprints, retina and iris scans, and handprints. Any private entity that collects biometric data must create a written policy, and explicitly limit its retention of that data to either whenever it has satisfied the initial need for the data, or within three years of the last interaction with the individual — whichever comes first. It also contains a robust notice and consent regime to ensure that biometric data is only collected with the active consent of the user, and limits the ability of private entities to share that data without obtaining consent. A private party can sue for violations of the law.
Given the sensitivity of biometric data, creating strong protections around its collection, use, and retention is a sound government policy goal. State-level protections for privacy have frequently been a bellweather for state-level consensus or federal action, and with little action on the federal level for comprehensive privacy protections or biometric-specific protections, Illinois took an important step by enacting its biometric privacy law — one that shouldn’t be undermined.
The proposed legislation — which was only introduced on Thursday, an apparent last-minute submission just prior to the legislative session’s end on Tuesday — appears minor on first glance, but contains a key definitional change that would drastically limit what counts as biometric data. It defines “scan” such that a “scan of face or hand geometry” (which is how face and hand prints are currently defined) must be done in person by an electronic beam, such as a laser. This means that digital facial recognition, done using software, wouldn’t be covered under the law anymore.
Given that digital facial recognition is the most prevalent form of biometric identification at present, and probably the most intuitive to consumers, this is a nonsensical change and a significant loss for the public. With an increasing number of photos and videos online, and rapid growth in apps and services allowing for uploading and sharing those photos, weakening protections around facial recognition is exactly the wrong step at this time. Moreover, doing so without time for sufficient public debate, less than a week before the end of a legislative session, is an undemocratic maneuver that minimizes the potential for public engagement on a vital issue of policy and technology. We hope that the Illinois Legislature does not act hastily to weaken a law that, in its current form, is laudable for recognizing both the future of technological capability and the need to protect the state’s citizens from misuse of some of their most sensitive data.