eDiscovery Daily Blog

Illinois Court Says Biometric Fingerprint is Violation of Privacy, Even Without Injury: Data Privacy Trends

With Legaltech® behind us, it’s time to get back to covering interesting news items.  On January 25, the Illinois Supreme Court rejected an argument from a popular theme park that would have limited a state law that requires consent for the use of facial recognition and other biometrics.

According to The Verge (Crucial biometric privacy law survives Illinois court fight, written by Russell Brandom), Illinois’ Biometric Information Privacy Act (or BIPA), passed in 2008, requires affirmative consent for companies to collect biometric markers from their customers, including fingerprints and facial recognition models. The law has become a sticking point for a number of tech companies using facial recognition as a photo-sorting tool, and both Facebook and Google have faced lawsuits for alleged BIPA violations in their photo-tagging products. Facebook has pushed for legislative revisions to the law on several occasions, but so far unsuccessfully.

The January ruling involved Six Flags, which allegedly fingerprinted a 14-year-old visitor without parental approval. Contesting the case, Six Flags argued it couldn’t be held liable unless the plaintiff demonstrated a tangible injury from the unauthorized collection, often a difficult task in privacy lawsuits. If successful, Six Flags’ would have significantly limited BIPA’s power and made facial recognition much easier for companies like Facebook and Google.

But the Illinois Supreme Court was ultimately unconvinced by the argument, ruling that “a person need not have sustained actual damage beyond violation of his or her rights under the Act.” In Illinois, businesses that collect biometric data will have to do so carefully, which the court took to be a reasonable intent of the law itself. “Whatever expenses a business might incur to meet the law’s requirements,” the ruling reads, “are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

The ruling has been met with cheers from privacy groups, like the Electronic Frontier Foundation, but some business groups, like the Illinois Chamber of Commerce, expressed concern over the ruling, saying “We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health”.  With the General Data Protection (GDPR) going into effect last year, the California Consumer Privacy Act (CCPA) passed and set to go into effect next year, and case law rulings like the SCOTUS ruling in Carpenter v. US, I’ve been saying that 2018 was the year of data privacy.  It doesn’t seem to be slowing down any in 2019.

So, what do you think?  Do you think we’re going too far on enforcing data privacy or do you think that rulings like this are appropriate?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.