Protecting Consumer Privacy in the Courts

Over the past several years, I’ve defended the Illinois Biometric Information Privacy Act (BIPA) from attempts to weaken it through the Illinois General Assembly. Now, Illinois PIRG Education Fund is joining with other consumer and privacy advocates to defend it in the courts.

Last week we filed an Amicus brief in the upcoming Illinois Supreme Court case, Rosenbach v. Six Flags, along with the American Civil Liberties Union, the ACLU of Illinois, the Center for Democracy & Technology, the Chicago Alliance Against Sexual Exploitation, the Electronic Frontier Foundation and Lucy Parsons Labs.

Biometric information, whether the whorl of a fingerprint or the contour of an eyebrow, is uniquely sensitive. You can cancel your credit card. You can’t cancel your face.

BIPA bars private entities from buying, collecting or storing biometric information unless they first acquire informed consent. BIPA also requires basic standards for secure storage of the data, and bars selling to or sharing biometric information with third parties.

While we believe the standards set out by BIPA are commonsense and should serve as a model for privacy protections, the companies whose business model depends on the mass collection of consumers’ private personal information through pervasive digital surveillance see laws like BIPA as a threat.

They should. Facebook, for example, is currently defending a class action lawsuit brought by three Illinois residents alleging that Facebook violated BIPA by using facial recognition technology without first obtaining users’ consent. Facebook could be found liable for damages to Illinois residents in the billions of dollars.

In Rosenbach, Six Flags collected biometric data from the plaintiff’s son when he purchased a season pass to Great America. Six Flags did not give notice or obtain consent as required by BIPA. The mother sued in Lake County Circuit Court on behalf of her son and others similarly situated. But an Appellate Court held that the plaintiff was not “aggrieved,” because she and her son alleged only a “technical violation” of BIPA and did not suffer any “actual harm.”

This is a common tactic by corporate interests looking to negate strong consumer protection laws. They claim consumers were not actually harmed when their privacy rights were violated, or their data breached, etc. Sometimes they can get the courts to agree. That’s why we’ve joined with partners to make our case to the Illinois Supreme Court.

Like many modern technologies, biometric tools hold promise and threat. They could make our lives better, our transactions more convenient, our financial lives more straightforward. But the promise must not blind us to the risks. As the Cambridge Analytica scandal unfolds, we’re learning more and more about how the Facebooks and Googles of the world amass, manipulate, and profit off of our information. But that information is quintessentially ours. It’s my face. It’s your movements. It’s our conversations with friends and family. We should know who is collecting and commercializing information created from the stuff our lives are made of. And we should have to opt into — and be able to easily opt out of — pervasive, intrusive surveillance.

We should not only be defending BIPA but expanding on it, passing as many laws as necessary to defend our right to basic control over our personal information in every state and nation.