A new Illinois bill would strip residents of critical protection of their biometric privacy, including their right to decide whether or not a business may harvest and monetize data about their faces and fingerprints. Given the growing public outrage over how Facebook and Cambridge Analytica handled sensitive user data, this is the wrong time to reduce privacy protections.
The existing Illinois Biometric Information Privacy Act (BIPA) is the strongest law of its kind in our country. Among the key measures that protect our rights:
- BIPA requires private entities, including big for-profit businesses, to obtain consent from a person before collecting or disclosing their biometric identifiers.
- BIPA requires private entities that possess such identifiers to timely destroy them: when the purpose of collection ends, and in no event more than three years after the last contact with the subject.
- BIPA requires private entities to securely store such identifiers.
- BIPA allows parties injured by violations of these rules to file lawsuits to hold businesses accountable.
Our biometrics are easy to capture. Once captured, we generally cannot change our biometrics, unlike our credit card numbers, or even our names. Databases of biometric information are ripe targets for data thieves. That’s why EFF strongly supports Illinois BIPA as a necessary means to protect our biometric privacy from intrusion by private entities.
The new Illinois bill (S.B. 3053) would create broad new exemptions from BIPA, and thus greatly reduce the biometric privacy of all Illinoisans. For example, it would exempt face recognition technology, biometrics captured by employers about their employees, and biometrics captured by stores about their patrons. It also would exempt the many businesses that comply with other privacy statutes, that do not link captured biometrics to confidential information, and that do not store biometrics for more than 24 hours.
The Illinois BIPA is the gold standard for biometric privacy protection nationwide. We hope Illinois legislators will refuse to compromise on their constituents’ privacy.