Could the US Lose Its Best Privacy Law?
Illinois lawmakers are trying to undermine the Biometric Information Processing Act (BIPA). This is one of the few U.S. privacy laws providing Americans with real privacy protection.
What is America’s best privacy law?
Maybe it’s not objectively the best, but my favourite U.S. privacy law is Illinois’ Biometric Information Processing Act (BIPA), which passed way back in 2008. BIPA is one of the most powerful — albeit limited — privacy laws in the U.S.
BIPA requires businesses to provide notice and obtain consent before collecting biometric information from consumers, including facial recognition data, fingerprints, and voiceprints.
Sounds reasonable?
Not according to a series of Illinois bills that have attempted to weaken the law, apparently under the guise of helping “small businesses”.
Various bills proposed by Illinois legislators have attempted to remove BIPA’s private right of action, narrow its scope, change its definition of “biometric information”, or chip away at its consent requirements.
Why do you like BIPA so much, anyway?
BIPA has resulted in some high-profile cases and settlements, not least the $650 million Facebook class-action settlement from earlier this month.
In February I spoke to the American Civil Liberties Union (ACLU) of Illinois, which is suing facial recognition company Clearview AI under BIPA.
Clearview’s business model involves hoovering up social media photos (including, mostly likely, yours) without notice or consent, extracting unique biometric data about the subjects’ faces, sorting them into a searchable database, and selling access to that database to police and, until recently, private companies.
It’s just one state law. If it gets repealed, what’s the big deal?
The stitching-together of America’s patchwork of privacy laws has been one of the big stories of 2021 so far. But the country still lacks meaningful, rights-based privacy protection for much of its population.
Other than BIPA, there is no effective U.S. law prohibiting and companies like Facebook and Clearview from gathering biometric information without consent (although that may change soon).
This will change when Virginia’s Consumer Data Protection Act (CPDA) comes into force. However, this law has no private right of action, so there will be less incentive for businesses to comply with it.
Repealing or amending BIPA would be a huge step backward for U.S. privacy law, at a time when it seems to be moving forward faster than ever.
