A privacy case developing in Illinois that hinges on how companies notify their customers of biometric information collection practices is shaping up as a test for how courts will interpret privacy laws in an age of pervasive, often invisible, surveillance and data collection.
The case concerns a teenager who bought a season ticket for an amusement park in Illinois and says that the park scanned his thumbprint and stored it without his knowledge or approval. That is allegedly a violation of the Biometric Information Privacy Act that Illinois enacted 10 years ago, a law that requires a company to notify and gain consent from any consumer from whom it is recording and storing biometric identifiers. Under the terms of the law, “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information “ without clear notification and written consent.
The Illinois law defines biometric information as being “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” In Rosenbach v. Six Flags, which is now before the Illinois Supreme Court, the plaintiff alleges that the amusement park didn’t provide the required notice and consent before recording his thumbprint. In the lower court, the ruling found that the plaintiff was not “aggrieved” by the collection of his biometric data.
A number of privacy groups have focused on the case as a key milepost in the ongoing debate around the collection and use of biometric data, and the EFF, Center for Democracy and Technology, ACLU, and others have filed a brief in support of the plaintiff in the case. They argue that the appellate court ruling was incorrect, and that because biometric information is typically unchangeable, the plaintiff had no real recourse once his data was collected.
“A conclusion in this case that the plaintiff is not an “aggrieved person” would significantly undermine the private enforcement mechanism of the statute, depriving this particular plaintiff of relief and leaving no means to hold wrongdoers accountable for their violations of BIPA’s notice and consent requirements,” the groups say in their brief.
“Our biometric information can be harvested at a distance and without our knowledge."
A key element of biometric technology is that in some cases, systems can collect information surreptitiously and without any consent from the targets. Facial recognition systems can scan peoples’ faces from a distance and some retailers, concert and sports venues, and schools use it for various purposes. And, because people normally can’t change their biometric information, the data is considered more valuable for companies and more sensitive for consumers.
“Our biometric information can be harvested at a distance and without our knowledge, and we often have no ability as individuals to effectively shield ourselves from this grave privacy intrusion. Second, BIPA follows in the footsteps of a host of other privacy laws that prohibit the capture of private information absent informed opt-in consent, and that define capture without notice and consent by itself as an injury. Third, allowing private lawsuits is a necessary means to ensure effective enforcement of privacy laws,” Adam Schwartz, senior staff attorney at the EFF, said in a post about the case.
Most privacy laws and policies in the United States are based on the concept of notice and consent, an idea that some experts argue is ineffective because most people either don’t read the policies they’re agreeing to or don’t understand the legal intricacies of them. While that ship sailed long ago for data such as Social Security numbers or home addresses, privacy advocates say there is still an opportunity and a need to tightly monitor how biometric data is collected, stored, and used.
“Consumers’ right to control the flow of their biometric information also creates a prophylactic protection against data breaches, internal business misuse, unwanted secondary use, and government access,” the Electronic Privacy Information Center (EPIC) wrote in its own brief in support of the plaintiff in the Rosenbach case.
“A private entity that chooses to collect biometric information in violation of BIPA should not be allowed to ignore its legal obligations. If that were the case, then any person caught speeding could simply argue to the officer they shouldn’t be ticketed because they did not harm any pedestrians. BIPA seeks both to establish best practices for the use of biometric data, such as meaningful consent at the time of collection, and deter practices that place individuals at risk.”
The Illinois Supreme Court is next due to convene in September.