In a ruling that could ripple across the nation’s biometric industry and target Facebook’s use of face surveillance without users’ consent, the Illinois Supreme Court has concluded companies can be sued for collecting such data without informed consent.
“Users don’t need to prove an injury like identity fraud or physical harm – just losing control of one’s biometric privacy is injury enough,” concluded the Electronic Frontier Foundation, which participated in the case.
In Rosenbach v. Six Flags a mother sued on behalf of a 14-year-old son whose thumbprint was taken at the amusement park without informed consent in apparent violation of the Illinois Biometric Information Privacy Act.
The law says companies cannot gather, use or share biometric information without informed, opt-in consent.
EFF and several other organizations filed a friend-of-the-court brief in the case urging protection for consumers’ privacy.
“The Illinois Supreme Court agreed with us and soundly rejected the defendants’ argument that BIPA required a person to show an injury beyond loss of statutory privacy rights. The court rejected the company’s argument that violation of a privacy statute is a mere ‘technical violation of the law.’ In fact, the court ruled, it inflicts a serious harm that supports a lawsuit,” EFF said.
“The court recognized that, through BIPA, the legislature had codified an individual’s ‘right to privacy in and control over their biometric identifiers and biometric information.’ The need to codify this right was supported by the legislature’s findings that biometrics may be used to access sensitive information, but unlike other identifiers like Social Security numbers, biometrics are unique to each individual and can’t be changed. As a result, the court ruled, quoting the legislature: ‘once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.'”
The ruling from the court sent the case back to the lower courts.
“We hold that the questions of law certified by the circuit court must be answered in the affirmative. Contrary to the appellate Court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act,” the court said.
EFF said: “Illinois’ BIPA is the strongest biometric privacy law in the United States. As biometric collection, use, and sharing become more widespread and invasive every year, it only becomes more important that private citizens can sue under laws like BIPA to protect their privacy. More businesses than ever are capturing and monetizing our biometric information. Retailers use face recognition to surveil shoppers’ behavior as they move about the store, and to identify potential shoplifters. Employers use fingerprints, iris scans, and face recognition to manage employee access to company phones and computers. People have filed BIPA lawsuits against major technology companies like Facebook, Google, and Snapchat, alleging the companies applied face recognition to their uploaded photographs without their consent.”
EFF said the answer to some of the privacy issues created is a law such as BIPA.
“First, biometric surveillance is a growing menace to our privacy. Our biometric information can be harvested at a distance and without our knowledge, and we often have no ability as individuals to effectively shield ourselves from this grave privacy intrusion. Second, BIPA follows in the footsteps of a host of other privacy laws that prohibit the capture of private information absent informed opt-in consent, and that define capture without notice and consent by itself as an injury. Third, allowing private lawsuits is a necessary means to ensure effective enforcement of privacy laws,” the group explained.
The Facebook case now is on appeal to the 9th U.S. Circuit Court of Appeals.
The new opinion said the lawmakers were clear when they decided to subject “private entities who fail to follow the statute’s requirements to substantial potential liability, including liquidated damages, injunctions, attorney fees, and litigation expenses ‘for each violation.'”
In this case, the park, during a school trip, took a thumbprint from Alexander Rosenbach, a minor, without telling him or his mother “in writing or in any other way of the specific purpose and length of term for which is fingerprint had been collected. Neither of them signed any written release regarding taking of the fingerprint, and neither of them consented in writing ‘to the collection, storage, use sale, lease, dissemination, disclosure, redisclosure, or trade of, or for [defendants] to otherwise profit from, Alexander’s thumbprint.”