Biometric data collection proves costly for violators but damages capped in Illinois

The Federal Trade Commission (FTC) is on a data privacy mission, as Chair Lina Khan takes to task data controllers across sectors who have played fast and loose with their clients’ biometric data. In a recent interview with Recorded Future News, Ben Wiseman, associate director for the Division of Privacy and Identity Protection under Khan, lays out the FTC’s aggressive new rule dictating commercial surveillance – how companies collect, analyze and monetize consumer data.

Wiseman says privacy measures amount to “a fiction if it means having to sift through hundreds of thousands of pages of privacy policies. Consent cannot be meaningful when consumers don’t have information to actually make real choices and they are forced to live their lives online as the digital economy becomes more and more entrenched in our everyday lives, including our lives at work.”

From employment to driving, data collection is now commonplace. ​​Wiseman and the FTC support a national data privacy law for the U.S., which is being kicked around the halls of government. But in the meantime, there are individual messes to clean up, and questions on how to penalize the companies that make them.

Facing Texas-sized fine, Facebook settles on bygone facial recognition feature

Meta has provisionally settled with the state of Texas over Facebook’s alleged illegal use of facial recognition technology to collect the biometrics of users in the state, according to a report from Reuters. The settlement comes days before jury selection for the lawsuit was scheduled to commence, and despite previous statements from the social media giant proclaiming the allegations to be “without merit” and vowing to defend itself “vigorously.”

Texas’s biometric privacy law was enacted in 2009. But the Facebook case, filed in 2022, is the first major case to be brought under the law, which includes a provision for damages of up to $25,000 per violation.

Since the case addresses Facebook’s collection of biometric data from uploaded photos and videos as part of its defunct “Tag Suggestions” feature, violations could have numbered in the billions.

Facebook’s argument hinged on it having given “clear notice” to users explaining the tag suggestion feature and how to control it. However, it was quick to end the program, suggesting it understands the limits of its justifications.

In 2020, the company agreed to settle a biometric privacy class action brought under Illinois’s Biometric Information Privacy Act (BIPA). That settlement cost Facebook $650 million.

The Texas court has paused for 30 days while both sides finalize the deal and lock down the terms of the settlement.

Illinois moves to cap damages for BIPA violations

In a tacit acknowledgement that a fine in the quadrillions of dollars is a bit steep even for Mark Zuckerberg, Illinois is amending BIPA to put a limit on damages companies must pay for violating biometric data privacy. CBS News reports that, in effect, the change will mean that Illinois law – which gives a private right of action to pursue litigation – will now account for privacy violations on a per-person basis, rather than a per-use basis. The idea is to be able to discipline firms that illegally collect biometric data, without having to bankrupt them.

Target is unlikely to file for chapter 11 any time soon, but it still faces a potentially significant payout in a class-action lawsuit from Illinois shoppers who say the retail chain violated BIPA by collecting face scans to identify potential shoplifters. The shoppers are seeking the full 5K per unlawful transaction.

Colorado biometrics law does not give private right of action

Colorado has amended its state privacy act HB 1130 to add specific requirements for processing biometric data, according to Covington. Like BIPA, it requires data controllers to provide notice and obtain consent before collecting or processing biometrics, and to obtain consent for a variety of uses after the fact.

Unique to Colorado are conditions applied to purchasing biometric identifiers, including paying the consumer and requiring the purchase to be “unrelated to the provision of a product or service to the customer.” There are also retention requirements that differ from BIPA, which must be put in writing and include protocol for responding to a data breach. And rules around employment put boundaries on the reasons employers can collect biometric data.

None of it, however, is grounds for a lawsuit. Unlike BIPA, the Colorado law does not have a private right of action.

Recently, about 6,000 Food 4 Less employees in Illinois had their class action lawsuit against Kroger Co. approved by an Illinois federal judge for a $6 million settlement. The suit accuses Kroger subsidiary Ralph’s of unlawfully collecting and storing workers’ biometric identifiers for timekeeping “without first providing them with legally required written disclosures and obtaining written consent, in violation of the Illinois Biometric Information Privacy Act.”

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  Colorado  |  CUBI  |  data protection  |  FTC  |  legislation  |  Meta  |  Texas