As biometric technology continues to proliferate, it will not be surprising to see more robust biometric privacy laws coming out of state legislatures and Congress in the coming years.
Facebook has been battling a class-action lawsuit over biometric data security since 2015. After five years of mediation and litigation, they finally agreed to settle the case for $550 million.
But, despite the proposed settlement being one of the largest consumer privacy settlements in U.S. history, the judge assigned to the case rejected the proposal. Now Facebook has upped its offer to $650 million, but will that be enough?
What’s This Case All About?
The plaintiffs allege that Facebook violated Illinois’s Biometric Information Privacy Act (BIPA) by using its DeepFace facial recognition program to make “tag suggestions” when someone uploads a photo. The class action lawsuit represents millions of Illinois residents who uploaded photos to Facebook since 2011.
What Does the Law Say?
BIPA places limitations on companies’ collection and use of biometric information. The statute allows individuals to sue for violations and allows them to recover at least $1,000 in damages. Further, if a court finds that the company “intentionally or recklessly” violated the biometric security law, plaintiffs can recover a minimum of $5,000 in damages.
So, What’s the Problem with the Settlement?
The judge assigned to a class-action case has to approve any settlement agreement. Judge James Donato, the U.S. District Court judge assigned to the case in California, refused to approve the proposed $550M settlement because it was drastically lower than what the plaintiffs could win at trial.
The judge explained, “It’s $550 million. That’s a lot. But the question is, is it really a lot?” The judge pointed out that the plaintiffs’ lawyers had “a pretty good argument” that Facebook’s violation of the Illinois law was intentional or reckless. That would mean damages of $5,000 per user, or approximately $47 billion in total.
In other words, Facebook’s proposed settlement represented “effectively a 98.75 percent discount . . . off of the amount that the Illinois legislature said might be due in this case.” The judge estimated that the settlement would give each user only about $150 and did not consider that to be adequate.
“That just doesn’t seem right to me,” said the judge. “I am not willing to let those companies off the hook in this case.”
So, What’s the Big Deal About Biometric Privacy?
Biometric privacy has only become a major issue in recent years. Prior to that, biometric security was fodder for science fiction or James Bond movies.
But now, even our phones can use fingerprints to access our personal accounts. We have home devices that recognize our individual voices. And law enforcement can use facial recognition to track down criminals. Biometric data and security are becoming increasingly integrated into our everyday lives, which comes with accompanying privacy risks.
What Is Biometric Data?
Biometrics verify a person’s identity by measuring their physical characteristics. Examples of biometric data include, among other things,
- DNA,
- Fingerprints,
- Voice recognition,
- Retina or iris recognition,
- Typing recognition,
- Hand geometry recognition, and
- Face recognition.
Biometric data can increase security and be more difficult to hack than a password, especially as technology improves. However, you still need to take steps to guard your biometric data.
How Can Biometric Data Be Misused?
There are a number of ways biometric data can be misused if it falls into the wrong hands. These can range from the merely annoying to the sinister and may include:
- Targeted marketing,
- Data mining,
- Identity theft,
- Hacking,
- Mass surveillance, and
- Fraud.
Once someone has stolen your biometric data, you may face permanent risks. You can’t change your biometrics if they are compromised like you can a password. This is why it is so important for companies to use biometric data responsibly and guard it carefully.
How Can We Protect Our Biometric Data?
As with many other evolving technologies, the responsibility of regulating biometric privacy often falls on companies themselves as legislation struggles to keep up.
Even though many companies take reasonable steps to secure biometric data, they may not be forthright with customers about how they use their data. This means that consumers may be giving up more than they bargained when they first adopt new technology.
Although the concept of using biometric data is not new, it’s only been in recent years that its proliferation has prompted states to take action.
Illinois was ahead of the curve, enacting the Biometric Information Privacy Act (BIPA) back in 2008. This comprehensive legislation granted a private right of action to citizens affected by a violation of the law. This means that, like the plaintiffs in the Facebook case, they can sue a company directly rather than waiting for the government to take action.
For the first several years, few plaintiffs filed cases under BIPA, with only 15 class actions between 2008 and 2016. However, by June of 2019, 324 BIPA class actions had been filed. And the number continues to grow, with Google, Microsoft, and Amazon all being named as BIPA defendants in 2020.
Seven more states (Texas, Washington, California, New York, Arkansas, Louisiana, and Oregon) have also enacted biometric privacy laws, four of those since the start of 2020. And another 11 states have proposed legislation to address biometric privacy, though only three of those proposals were currently pending as of June 2020.
As biometric technology continues to proliferate, it will not be surprising to see more robust biometric privacy laws coming out of state legislatures and Congress in the coming years.
Join the conversation!