Find out more about the U.S. election results here.

Ruling Is a Warning to Companies Collecting Biometric Scans Without Permission

In a win for privacy rights, the Illinois Supreme Court allowed a lawsuit to continue against a company that scanned a 14-year-old’s thumbprint.

ACLU National
Feb 8, 2019 · 4 min read
Image for post
Image for post

By Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy, and Technology Project | FEBRUARY 8, 2019 | 4:45 PM

The Illinois Supreme Court issued an important decision in late January rejecting attempts to gut the state’s landmark law that bars companies from collecting people’s biometric identifiers — including face recognition scans, fingerprints, and iris scans — without providing a written explanation of what they plan to do with the data and obtaining consent.

The law, called the Biometric Information Privacy Act (BIPA), has been on the books for over a decade. It’s the strongest such law in the nation, and it has provided a robust tool for protecting some of Illinoisans’ most sensitive data against covert collection, use, and resale.

The question at issue in the case concerns who is allowed to sue for violation of their rights under the law. The lawsuit was brought by the family of a teenager whose thumbprint was scanned when he went to a Six Flags’ amusement part. Contrary to the requirements of the law, there was no explanation of why he was fingerprinted or how the data would be used.

BIPA allows anyone “aggrieved” by a violation of its provisions to seek monetary damages and other relief. The defendant in the case, supported by a number of organizations representing businesses that seek to collect biometric data — including tech giants like Facebook, Google, and Amazon — argued that someone can only be “aggrieved” if they can prove that they have suffered actual damages, such as monetary loss or other concrete harms.

As we explained in a friend-of-the-court brief, however, that interpretation would often leave “no means to hold wrongdoers accountable for their violations of BIPA’s notice and consent requirements” because “privacy harms are difficult for the consumer to understand at the outset and discover after the fact.” (In addition to the ACLU and ACLU of Illinois, the brief was joined by the Center for Democracy & Technology, Chicago Alliance Against Sexual Exploitation, Electronic Frontier Foundation, Illinois PIRG Education Fund, and Lucy Parsons Labs).

In a unanimous opinion, the Illinois Supreme Court agreed, holding that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled” to sue. The court explained, quoting a lower court’s ruling in another case:

The court’s ruling ensures that the Illinois law remains a meaningful tool for protecting against invasions of privacy. It will have an immediate effect in other cases, including a lawsuit challenging Facebook’s collection of face recognition scans — also filed under BIPA — in which we filed a friend-of-the-court brief late last year.

The decision also stands for a larger principle that in an age when companies have ever greater abilities to amass and monetize our personal data, it is crucial that Congress and state legislatures provide strong laws that both protect people’s rights and allow them to sue when companies violate the law. Legislators should reject self-serving industry arguments — similar to the ones made in this case — that consumers don’t deserve the right to take companies to court unless they can prove monetary or concrete harm.

As my colleague Neema Singh Guliani recently explained in The New York Times, “Huge privacy violations have become commonplace. Without a private right of action, consumers have little practical ability to seek relief in cases where their data was mishandled or misused.”

Lawmakers nationwide would be wise to follow Illinois’ lead and ensure that people throughout the country have a way to defend against surreptitious or misleading uses of their biometrics and other private and sensitive data.

Originally published at www.aclu.org.

ACLU

For nearly 100 years, America's guardian of liberty

ACLU National

Written by

The ACLU is a nonprofit, nonpartisan, legal and advocacy organization devoted to protecting the rights of everyone in America. To learn more, go to aclu.org.

ACLU

ACLU

For nearly 100 years, America's guardian of liberty

ACLU National

Written by

The ACLU is a nonprofit, nonpartisan, legal and advocacy organization devoted to protecting the rights of everyone in America. To learn more, go to aclu.org.

ACLU

ACLU

For nearly 100 years, America's guardian of liberty

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store