By CDT summer intern Edward Ruse.
There is something unique about biometric information – literally, it’s one of a kind. Fingerprints, facial recognition patterns, iris scans, and other biometric information are largely immutable, making them far more sensitive than most unique identifiers or other personal data. When this information is improperly collected, shared, or used for tracking or surveillance, individuals are essentially stripped of their ability to protect their privacy.
This is part of the reason why so much attention has been paid to Illinois’ Biometric Information Privacy Act (BIPA), which arguably provides the strongest legal protections for biometric data in the United States. BIPA includes a number of important provisions regulating the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” The law also provides Illinois residents with a set of affirmative rights regarding their biometric data. Specifically, companies must provide information about their data practices and obtain written consent before collecting and using biometric data. These provisions are important because they give individuals meaningful insight and transparency into corporate biometric data practices, and in many cases, a measure of control over whether biometric information is collected.
Since BIPA’s enactment a decade ago, biometric technologies have spread, as have resulting legal disputes. Companies have challenged the bounds of BIPA, even when they have rather clearly not followed the law. For instance, Stacy Rosenbach sued Six Flags of America in January 2016 for fingerprinting her son without either obtaining written consent or disclosing the amusement park’s plans for what they intended to do with his biometric information. While BIPA clearly requires companies to acquire “informed written consent” before the collection of biometric data, and develop a “written policy, made available to the public,” Six Flags did neither. Instead, the amusement park filed a motion to dismiss Rosenbach’s claims because she was not sufficiently “aggrieved” under BIPA because she had not alleged an actual injury.
Last week, the Center for Democracy & Technology filed an amicus brief with the Illinois Supreme Court that addresses when an individual should be “aggrieved” under BIPA. Joining CDT on the brief are the American Civil Liberties Union, the ACLU of Illinois, Illinois PIRG, the Chicago Alliance Against Sexual Exploitation, the Electronic Frontier Foundation and Lucy Parsons Labs. Our brief argues that the lower court’s holding that a plaintiff is not aggrieved when neither requisite notice nor consent is provided is inconsistent with the language, purpose, and structure of BIPA.
Class action lawsuits inside and out of Illinois are hinging on the decision to be cast in Rosenbach v. Six Flags. If what Six Flags has done is not a violation of BIPA, then it becomes hard to envision what protections the notice and consent provisions in BIPA really offer to Illinois residents — or how the legislature’s intentions behind the law can be fulfilled. Notice is a fundamental component to ensuring adequate transparency into any system of consumer data collection. When a company is not required to inform individuals of how it intends to use collected biometric information – be it fingerprints, facial imagery, or something as seemingly innocuous as an individual’s gait – a consumer’s ability to provide meaningful consent to the collection is inherently undermined. A failure to recognize that the plaintiff has been harmed here would constitute a substantial blow against consumer transparency for biometric data collection.
As our brief states, “the privacy legal landscape has demonstrated profound respect for the role transparency plays in protecting individuals’ privacy.” We hope the Illinois Supreme Court recognizes transparency’s role, and its importance here and going forward.