SAN FRANCISCO — The Biometric Information Privacy Act of Illinois is not a law many are familiar with. But if you have ever shared a photo on social media, the little-known statute turns out to be one of the nation’s toughest regulations for how companies like Facebook and Google can use facial recognition technologies to identify you online.
On Thursday, an Illinois state senator, Terry Link, introduced an amendment that would have weakened the law by exempting photo-tagging technologies that are now commonly used on social media. The proposal also had the potential to extinguish several class-action lawsuits against technology companies like Facebook by retroactively removing the right of Illinois citizens to sue companies that might have broken the law in the past.
The amendment was lobbied for by Facebook, according to a person involved in the effort who spoke on the condition of anonymity. And it helps to illustrate how from drone aircraft to genetic information and statutes that govern how companies sell consumer information to data miners, tech companies are in a capital to capital fight to keep new laws from being passed or to soften those already on the books.
“The Illinois biometric privacy act is one of the best new privacy laws in the country,” said Marc Rotenberg, president of the Electronic Privacy Information Center. “It’s bad news for consumers when Internet companies start lobbying against good privacy laws.”
The proposed amendment, which would have carved out an exemption for any biometric information collected through a photograph or video, prompted a host of lawyers and privacy advocates to condemn the proposal. By Friday afternoon, a spokesman in the office of Senator Link said the amendment was no longer being considered but declined to comment further. The senator had also written the original law.
In a comment sent by email, a spokeswoman for Facebook said, “We appreciate Senator Link’s effort to clarify the scope of the law he authored.”
Pam Dixon, executive director of the World Privacy Forum, said statehouses were increasingly becoming privacy battlegrounds as legislators wrestle with the question of not just how tech companies use people’s names and personal information, but also their faces and voices.
“We have had a very dysfunctional Congress for quite some time, and as a result the most effective place to work has been the statehouses,” she said. “It’s where hearts and minds are being won and where laws are still being crafted and passed.”
Biometric information like face and voice recognition has become a huge and potentially costly area as tech companies plow tons of money and powerful artificial intelligence technologies into photo and video applications that can identify people with an accuracy that would have seemed like science fiction only a few years ago.
Laws curbing these programs can be a huge burden for tech companies, because following the laws could mean slowing the arrival of new features or creating a patchwork of features that could be turned off and on in various states.
While the state violations are often small — the Illinois act gives citizens the right to sue for up to $5,000 per violation — potential liability can run to billions or even trillions of dollars once multiplied across hundreds of millions of individual users. That has made privacy law a lucrative new area for class-action lawyers who can extract multimillion-dollar settlements just by bringing a case.
Nevertheless, questions of how much tech companies should be allowed to do without notifying their users will multiply, especially as people adopt more live video and voice technologies that have already made it possible for tech companies to identify people who might not even use their services.
“It’s basically a company creating the ability to capture someone’s identity when they might not want to reveal their identity,” Mr. Rotenberg said.
The Biometric Information Privacy Act was passed in Illinois in 2008 and has quickly become the bane of social media companies. Under the current law, companies have to get a user’s consent before turning on features that scan and store faces for identification.
The law is at the center of several class-action lawsuits, including one that claims that Facebook has “secretly amassed the world’s largest privately held database of consumer biometrics data.”
That suit, filed by Edelson PC – a Chicago-based law firm known for suing tech companies for privacy violations – recently cleared a significant legal hurdle that allowed the suit to proceed and increases the likelihood of Facebook settling the case, which could potentially mean millions in fees for the Edelson firm.
Jay Edelson, founder of Edelson PC, said of Facebook: “These guys believe that the rules shouldn’t apply to them and have the money to literally rewrite them.”