Here’s why tech companies continue to pay millions to settle lawsuits in Illinois




CNN business

Regulators have spent years trying to make big tech companies pay for the ways they collect and sometimes misuse user data. A state, on the other hand, is literally paying – and paying directly to consumers.

Illinois is one of the few states in the United States that has a law requiring businesses to obtain consumer consent before obtaining biometric data, and The rule, passed in 2008, is the toughest in the nation. The law, called the Biometric Information Privacy Act (BIPA), doesn’t just force it companies to obtain people’s consent before collecting biometric data such as fingerprints or facial geometry scans. It also establishes rules that require companies to protect that information, prohibits companies from selling Illinois residents’ biometric data, and allows Illinois residents to file complaints against companies for alleged violations of the law.

In the nearly 15 years since, services that use biometric data—from palm print recognition to buy groceries to facial recognition software to unlock your phone—have evolved. is becoming more and more common. But the law of the United States has not held. There is no federal legislation on the matter, and among the few states that have taken action, Illinois’ law is seen as effective.

“It’s the golden rule,” said Chad Marlow, senior policy adviser for the American Civil Liberties Union.

As a result, Illinois has become the benchmark for regulating biometric technologies such as facial recognition software. Groups like the ACLU and individual consumers have used the law to sue a growing list of major companies from Facebook to Snapchat, and in some cases to restrict the behavior of tech companies that provide products and services in the state. In the process, it has sent a message about the importance of personal data privacy Beyond Illinois

In Illinois, BIPA was created in part out of concern about data collected by a failed fingerprint scanning payment company that later went belly up. Lawmakers were concerned that data collected by Pay By Touch, which was available at Jewel-Osco grocery stores in the Chicago area, could be sold in bankruptcy (the company was auctioned off in pieces).

The text of the law, introduced in early 2008, refers to it as Pay By Touch and states that, unlike a Social Security number, biometric identifiers are “biologically unique” and cannot simply be changed if compromised.

“Not all of the implications of biometric technology are fully known,” the law says.

In fact, at the time, companies in the United States were pursuing biometric technologies, but consumers were not nearly as familiar as they are today, and the impact of these technologies was impossible to estimate. It wasn’t until 2010 that Facebook used facial recognition software to automatically tag users in photos uploaded to the social network, for example, and in 2013 Apple first added a fingerprint sensor to the iPhone to unlock the device. BIPA was passed 12 years before America’s first wrongful arrest due to facial recognition.

Experts say one of the law’s most powerful provisions allows individuals to sue, rather than leaving it up to the state. (Texas and Washington, which have similar rules, leave the decision to take legal action to their state attorneys general.) Companies that have “intentionally or recklessly” violated BIPA can be fined up to $5,000 per violation; Those who violate the law due to negligence can be fined up to $1,000 per violation.

That right to sue “has been one of the only ways to get companies to take compliance seriously,” said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation’s digital rights group. “And of course, it’s a reason why people who hate hate with a burning passion.”

Despite the legal teeth of BIPA, the law did not show its full force until 2015. That year, Chicago-based attorney Jay Edelson, Edelson PC, led a lawsuit against Facebook alleging the social network violated the BIPA for using facial recognition software to identify people in users’ photos and suggest users tag those people. by name The lawsuit argued that Facebook was essentially collecting and storing users’ facial biometrics (measures of facial geometry extracted from images) without prior request or consent, which is against Illinois law.

“Our client was literally worried that he was going to lose his biometrics, and it was going to be out in the world,” Edelson said of the initial plaintiff’s decision to sue the social network.

Facebook agreed in early 2020 to settle the case for $550 million, which a judge raised to $650 million in March 2021. (It works out to $397 per eligible person, Edelson said — it may be a small amount, but it’s a lot more than people receive in many class-action lawsuits.)

Edelson has worked on dozens of BIPA cases and estimates that more than 500 lawsuits have been filed alleging violations of the law. Many of the lawsuits involve companies that use systems to log employees in and out with their fingerprint or face, but in addition to Facebook, many big tech companies have also agreed to class-action settlements worth hundreds of millions of dollars.

Last year, TikTok agreed to pay $92 million to settle a class-action lawsuit alleging it illegally collected users’ biometric data and shared it with other companies; the suit was split into a national class and an Illinois class so that the Illinois class could receive six times more money as a result of BIPA. Google in April agreed to pay $100 million to settle a suit related to a photo grouping feature in Google Photos, and Snap in August agreed to pay Snap $35 million to settle a suit related to filters and lenses in Snap’s app. (None of these companies have admitted wrongdoing.)

“In the big picture, all of these suits work in combination with each other, and that’s what makes BIPA so powerful,” Marlow said.

The results aren’t always limited to the money paid to consumers, and the impacts of the suits can reach beyond state lines in Illinois. For example, the settlement with controversial AI facial recognition company Clearview (which Edelson took on pro bono on behalf of the ACLU and other nonprofit groups) had a big impact when it was settled earlier this year: it led to a settlement. the company will not sell its software to most companies in the United States—a decision that largely limits use to the country’s law enforcement agencies.

The outcome of the suit “is a total game-changer in our minds,” Edelson said.

The Facebook suit also had an impact beyond Illinois. In November 2021, less than a year after a judge increased the settlement amount in the BIPA case, the company said it would stop using facial recognition software to automatically recognize people in photos and videos. It also announced that it would delete data related to the faces of more than a billion people (it will still work on facial recognition technology, though, and may use it in future products).

women phone STOCK

Adobe Stock

“I’m not sure it’s a decision they would have made if it weren’t for BIPA, but certainly making that decision removes the possibility of BIPA not complying with facial images and facial geometry,” said Lior Strahilevitz, a law professor. University of Chicago.

Facebook did not respond to a request for comment. The company did not mention BIPA when it announced its decision to stop using the technology.

To avoid even the possibility of breaking the law, some companies have gone so far as to decide not to sell a product in the state, such as Sony’s Aibo robot dog, the company says it mimics the behavior of a real pet using facial recognition software to “act differently around familiar people.”

Other companies are restricting features that include biometrics to people who live outside of Illinois. That’s what happened in 2018, when Google added a feature to its Google Arts & Culture app that lets people take a selfie and then compare it to historical paintings to find one that most closely resembles your mug.

“That certainly wasn’t available in Illinois, and there was a local, ‘Hey, that’s interesting. Why can’t we use that?'” Strahilevitz said.

In the wake of BIPA’s passage, Texas and Washington passed their own biometric laws in 2009 and 2017, respectively. But the laws have hardly been tested (in 2022, Texas even sued Facebook over allegations it illegally took facial recognition data from Texans), probably because it’s up to states to decide whether to sue.

The basic ideas behind BIPA “seem to be in line with popular sentiment,” Strahilevitz said, but lawmakers in states like California and Maine have tried and failed to pass their own versions of the rule.

Experts say that part of the reason for these failures is the build-up of opposition to these biometrics laws, particularly by large and small businesses that may be targeted by them.

However, EFF’s Tsukayama, whose group worked with California State Sen. Bob Wieckowski on a bill that would have created a BIPA-like law in California in February, believes it could be revived in the future, even if it stalls in committee. spring.

After all, Tsukayama stated, “I can change the password, but I can’t change the face.”