FB pixel

Biometric data collection proves costly for violators but damages capped in Illinois

Facebook concedes in Texas, agrees to settle facial recognition lawsuit
Biometric data collection proves costly for violators but damages capped in Illinois
 

The Federal Trade Commission (FTC) is on a data privacy mission, as Chair Lina Khan takes to task data controllers across sectors who have played fast and loose with their clients’ biometric data. In a recent interview with Recorded Future News, Ben Wiseman, associate director for the Division of Privacy and Identity Protection under Khan, lays out the FTC’s aggressive new rule dictating commercial surveillance – how companies collect, analyze and monetize consumer data.

Wiseman says privacy measures amount to “a fiction if it means having to sift through hundreds of thousands of pages of privacy policies. Consent cannot be meaningful when consumers don’t have information to actually make real choices and they are forced to live their lives online as the digital economy becomes more and more entrenched in our everyday lives, including our lives at work.”

From employment to driving, data collection is now commonplace. ​​Wiseman and the FTC support a national data privacy law for the U.S., which is being kicked around the halls of government. But in the meantime, there are individual messes to clean up, and questions on how to penalize the companies that make them.

Facing Texas-sized fine, Facebook settles on bygone facial recognition feature

Meta has provisionally settled with the state of Texas over Facebook’s alleged illegal use of facial recognition technology to collect the biometrics of users in the state, according to a report from Reuters. The settlement comes days before jury selection for the lawsuit was scheduled to commence, and despite previous statements from the social media giant proclaiming the allegations to be “without merit” and vowing to defend itself “vigorously.”

Texas’s biometric privacy law was enacted in 2009. But the Facebook case, filed in 2022, is the first major case to be brought under the law, which includes a provision for damages of up to $25,000 per violation.

Since the case addresses Facebook’s collection of biometric data from uploaded photos and videos as part of its defunct “Tag Suggestions” feature, violations could have numbered in the billions.

Facebook’s argument hinged on it having given “clear notice” to users explaining the tag suggestion feature and how to control it. However, it was quick to end the program, suggesting it understands the limits of its justifications.

In 2020, the company agreed to settle a biometric privacy class action brought under Illinois’s Biometric Information Privacy Act (BIPA). That settlement cost Facebook $650 million.

The Texas court has paused for 30 days while both sides finalize the deal and lock down the terms of the settlement.

Illinois moves to cap damages for BIPA violations

In a tacit acknowledgement that a fine in the quadrillions of dollars is a bit steep even for Mark Zuckerberg, Illinois is amending BIPA to put a limit on damages companies must pay for violating biometric data privacy. CBS News reports that, in effect, the change will mean that Illinois law – which gives a private right of action to pursue litigation – will now account for privacy violations on a per-person basis, rather than a per-use basis. The idea is to be able to discipline firms that illegally collect biometric data, without having to bankrupt them.

Target is unlikely to file for chapter 11 any time soon, but it still faces a potentially significant payout in a class-action lawsuit from Illinois shoppers who say the retail chain violated BIPA by collecting face scans to identify potential shoplifters. The shoppers are seeking the full 5K per unlawful transaction.

Colorado biometrics law does not give private right of action

Colorado has amended its state privacy act HB 1130 to add specific requirements for processing biometric data, according to Covington. Like BIPA, it requires data controllers to provide notice and obtain consent before collecting or processing biometrics, and to obtain consent for a variety of uses after the fact.

Unique to Colorado are conditions applied to purchasing biometric identifiers, including paying the consumer and requiring the purchase to be “unrelated to the provision of a product or service to the customer.” There are also retention requirements that differ from BIPA, which must be put in writing and include protocol for responding to a data breach. And rules around employment put boundaries on the reasons employers can collect biometric data.

None of it, however, is grounds for a lawsuit. Unlike BIPA, the Colorado law does not have a private right of action.

Recently, about 6,000 Food 4 Less employees in Illinois had their class action lawsuit against Kroger Co. approved by an Illinois federal judge for a $6 million settlement. The suit accuses Kroger subsidiary Ralph’s of unlawfully collecting and storing workers’ biometric identifiers for timekeeping “without first providing them with legally required written disclosures and obtaining written consent, in violation of the Illinois Biometric Information Privacy Act.”

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Know your APAC digital ID regulations to take advantage of evolving market

One of the major trends in the digital identity landscape in 2024 has been the enactment of a series of…

 

Yoti facial age estimation helps Yubo build trust with users

Yubo, which bills itself as a “live social discovery platform,” has released a new case study showing how they have…

 

Ondato releases Age Verification Report as countries trend toward stricter regulations

Australia caused shockwaves when it approved a social media ban for under-16s a couple of weeks ago. The world-first law…

 

Denmark’s digital ID receives proximity check update

Denmark’s MitID digital identity system has received updates designed to boost the security of its app and prevent scammers from…

 

Nigeria tenders $83M digital identity system upgrade and MOSIP integration

Nigeria is planning to implement the MOSIP platform with its digital identity management system and upgrade its biometric capabilities with…

 

CyberArk IAM authentication FIDO2 certified

Identity cybersecurity company CyberArk has received FIDO2 certification for its access management product, confirming that it complies with the FIDO…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events