Illinois Moves To Gut Its Own Gold Standard on Biometric Privacy


Illinois lawmakers are poised to remove some biometric privacy protections for residents reversing a stance that made the state a gold standard for privacy advocates. A newly proposed bill would give businesses the ability to harvest and monetize the biometric data of individuals without their consent. The bill is supported by a number of technology companies including Facebook as well as lobbyists for the technology industry.

Illinois’ Biometric Information Privacy Act was passed in 2008 and includes some of the strictest limitations on how an individual’s biometric data can be used in the US. According to the law, private entities must obtain consent from someone before using their biometric data and once a private entity has this data it must move quickly to destroy it once it is no longer needed. Private entities that violate the law can also be sued.

Amendments to the law proposed in the new bill would give businesses nearly free reign to use biometric data without consent. As a result, individuals may not know that a business has captured their face or other identifiers and there would be nothing compelling them to delete the data if it is no longer being used.

Supporters say the change say it is necessary to keep pace with new technology and that businesses – specifically employers which regularly use biometrics for timekeeping shouldn’t have to ask employees. Right now, employers can use biometrics but they are required to notify them and get consent.

According to a report in the Chicago Tribune, the law could also be inhibiting consumer product availability and investment in the state. In one example cited by the paper, video enabled doorbells that use facial recognition to announce visitors aren’t being sold in Illinois. Facial recognition features in other popular software applications also aren’t available in Illinois presumably because of the law.

But supporters of BIPA question whether that’s really a problem. The Electronic Frontier Foundation, a civil liberties advocacy group, sent a letter to Senator Bill Cunningham, (D-Chicago), the bill’s sponsor, noting that biometric data is easier than ever before to capture, steal and sell and that laws should protect individuals, not help businesses sell data without consent. The letter also underlines the murky relationship between data brokers and law enforcement:

Businesses may monetize their biometric databases by selling them to law enforcement and immigration enforcement officials. The FBI regularly enlarges the massive scope of its fingerprint database. Police across the country purchase myriad kinds of personal information from data aggregators. The U.S. Department of Homeland Security (DHS) gathers biometrics from international travelers. DHS also purchases all manner of personal information from data aggregators,for purposes of locating and deporting undocumented immigrants. As with many aspects of our nation’s troubled criminal justice and immigration enforcement systems, placing a new set of highly sensitive personal information in the hands of the government may have a disparate impact against racial, ethnic, and religious minorities.

The timing of the bill is also curious. Lawmakers started hearings today even while Facebook CEO Mark Zuckerburg goes before both houses of Congress to explain exactly how many different ways the company sells biometric and other personal data without users informed consent. Facebook is a supporter of the bill put forward by Cunningham and similar bills in other states that would limit how biometric and other personal data can be used. Facebook is also currently battling a BIPA lawsuit in court.