Should Facebook have a right to store a template of your face without your knowledge or consent? State lawmakers are increasingly questioning the tech giant’s answer to that question, thanks largely to an Illinois law that has allowed major lawsuits to proceed against companies that store this type of biometric data.
On Jan. 7, a Chicago judge ruled that a suit against photo-sharing company Shutterfly could proceed on the basis of the state’s Biometric Information Privacy Act. The law prohibits companies from collecting “personal physiological biometric information” such as fingerprints, retina scans or, plaintiffs in the case argue, facial scans.
“There are serious privacy concerns related to the unauthorized capture and storage of biometric data by these companies, and currently Illinois is the only state to allow private citizens to sue,” said David Milian, the lead attorney in the case.
“The data privacy concerns are enormous. You can always change your password or get a new credit card or Social Security number if these websites are hacked, but you can’t change your facial geometry,” Milian said.
Several similar lawsuits were filed against Facebook last year based on the law, though the likelihood they will succeed diminished after a federal judge transferred the suits to San Francisco. While California lawmakers had been considering a law based on Illinois’ biometric law, it failed to pass by the end of the year.
At issue is the fact that the companies store all of the facial recognition data passing through their servers. They say it’s intended to make their services more efficient. A significant problem is that the companies also retain information about all of the pictures their users upload, beyond just the users of the service. In the case of Shutterfly’s approximately 3 million users, the implications of that practice could extend to millions more. In the case of the 1.5 billion who use Facebook, the problem could extend to half the globe.
Though Facebook may have gained a reprieve by being transferred to a California court, the company’s relief may not last long. Lawmakers in Alaska and tech-friendly Washington have also taken an interest in laws that would protect biometric data. In Olympia, that legislation overwhelmingly passed the House last March by a vote of 91-6. It stalled in the State Senate for nearly a year, but proponents are hoping it could finally receive a vote in that chamber in as little as weeks.
“We see, as a legislature, Washington as being kind of the forerunner with this,” state Rep. Mark Harmsworth told the Washington Examiner. “Washington is a leader in the technology sector. We have a lot of key players in the technology, including Microsoft and Amazon, so we want to be out in front on a lot of these things to protect the consumer,” he added. “We want to blaze the trail here … it’s pretty much a bipartisan issue.”
If the bill passes, it will make Washington the third state with a law governing the collection of biometric data. The other is Texas. That state’s law, passed in 2001, restricts right of action to the attorney general, which prevents individuals from filing their own suits. Though Washington’s law would follow that model, its passage this year would take on a different meaning than the Texas version, which passed three years before Facebook even went online.
Harmsworth noted that a law in even one jurisdiction could affect national standards for data collection. “The collection of data doesn’t know boundaries between states… It’s a very complex issue with national implications,” he said.
He added that those implications could lead to federal legislation. “To what extent they copy what we do, or have a slimmed down version of it, I don’t know yet.”
Milian agreed with Harmsworth, both with respect to the broader impact that state laws could have and the likelihood that the issue will eventually reach the nation’s capital.
“The use of biometrics in businesses will grow substantially in the coming years,” Milian told the Examiner. “Companies that are collecting or using biometric data will need to assess their practices to ensure they are in compliance with all applicable laws, whether in Illinois or Texas.”
Related Story: http://www.washingtonexaminer.com/article/2571813
“Federal legislation addressing the collection and potential misuse of highly personal biometrics, requiring express consent from individuals, and providing effective remedies for violations, is necessary and inevitable,” he concluded.
