Biometric Laws vs. Big Tech – The Battle
Many people are familiar with Illinois’ biometric privacy law called BIPA, The Biometric Information Privacy Act. BIPA says that companies can’t use your biometric data without your permission. BIPA only applies to IIllinois residents, but it is still having an impact.
Like California’s privacy law, BIPA allows you and me (if we live in Illinois) to sue a company that misuses my biometric data. This is called a private right of action. Unlike California’s CCPA, which only allows you to sue if there is a breach, BIPA allows you to sue if your data is misued.
The courts seem to be siding with the people suing. In 2019, the Illinois Supreme Court said that people can sue for technical violations (like not giving notice of how they are going to use my data). The the federal courts, the Ninth Circuit, said that technical violations give a person “Article III standing” without showing actual harm.
There have been many BIPA lawsuits, in both federal and state court and, for the most part, big tech has been losing and paying up. It can cost them up to $5,000 per violation. TikTok paid $92 million. Google paid $100 million and Snapchat paid $35 million, among many others.
This week Texas Attorney General Ken Paxton (who is running for re-election), decided to sue Google Facebook for unlawfully capturing, disclosing and retaining the facial geometry of users and non-users. The Texas law that he is using, called the Texas Capture or Use of Biometric Identifier law (CUBI) has been around for 20 years. The lawsuit seeks damages for billions of alleged violations since 2010 and seeks an injunction. While there is no private right of action in Texas, the AG can sue for up to $25,000 per violation.
Then Paxton sued Google for similar offenses like capturing voice prints without proper consent.
Today, Illinois, Texas and Washington all have basically similar state biometric privacy laws. Baltimore, Portland and New York all have local biometric privacy laws.
Next year add to that list, at least, California, Colorado and Virginia, all of which regulate biometric data as part of their privacy laws.
Are you ready?
If you are not ready and are concerned about whether you are handling biometric data correctly, please contact us.
Credit: Woodruff Sawyer , Rivkin Radler, CNN, ZwillGenBlog and Bleeping Computer
by 