The Nation's Strictest Privacy Law

In 2017, Apple launched the iPhone X and sold over 217 million of them to Americans across the country, making it the highest selling phone that year. What differentiated the iPhone X from previous models was the introduction of Face ID, a new feature that would allow the phone to use facial recognition to unlock the device. With the help of sensors, a dot projector, and a “TrueDepth camera system”, Face ID creates a 3D map of a user’s face in order to authenticate their identity before making a payment, confirming a download or opening the phone without the use of a passcode. The iPhone X’s facial recognition feature is especially notable for its ability to work with or without hats, sunglasses, make up, contact lenses, beards, hair cuts, and even in complete darkness. Allegedly, the new update is even supposed to allow facial recognition to work when one has a face mask on. In sum, your phone really knows your face, and because this data gets stored, Apple does too. 

Facial recognition is only one of many ways that Apple has gotten to know us. Not only does Apple use Face ID, but Touch ID, which uses your fingerprint to unlock your devices and confirm payments. Voice recognition is also used for the feature that summons Siri, the virtual assistant in Apple devices. While Apple’s may be the most popular, they are not the only tech company to have access to this data, and certainly not the only company with the ability to give it away. IBM, Amazon and Microsoft all sell facial recognition technology to police departments, which they halted during the Black Lives Matter protests over the summer. Other tech companies, such as Clearview AI, refused to do so, arguing that the police needed face databases—whether the consumers behind those faces had consented to it or not. Many scholars have argued that the exchange of facial recognition data could create serious surveillance problems for our democracy, but in the midst of a pandemic, when our online presence and technology use intensifies, this exchange has only become more profitable.

Because tech companies cannot be trusted to step down on their own, some state legislators have taken matters into their own hands. Illinois serves as the prime example. In 2008, the state successfully passed BIPA, the Biometric Information Privacy Act, which remains the strictest digital privacy law in the United States today. The act is efficient for three reasons in particular, the first being that it strictly outlaws companies from using, selling, trading, purchasing or obtaining consumers’ biometric information without their knowledge or consent, which is surprisingly rare to find in American privacy law. Biometrics, in BIPA, are defined as fingerprints, voice prints and scans of the face, hands, retina or iris, regardless of how it is captured. 

Secondly, it places a legal limit on the amount of data tech companies are allowed to collect and forces companies to write and publicize a policy for destroying biometric information once they no longer need it. 

Third, this law, unlike any before it, gives individual citizens the power to sue tech companies that abuse their data, not just corporations or the state.

Considering the unprecedented tightness of its restraints on tech companies, many are surprised that BIPA was able to get passed. However, its origin story makes it much more clear. A year before BIPA was signed into law, a company in Illinois allowed people to pay in stores using their fingerprints rather than a credit card. It eventually went out of business, but instead of destroying their biometric data, the company decided to sell it. Illinois residents heard about this and decided to rally together to stop it, thus inspiring the creation of BIPA. Few knew about the backlash from people in Illinois and even fewer noticed the passage of the bill a year later. This, more than anything, helped citizens convince lawmakers to agree to their demands without interference from powerful tech companies who could buy their cooperation. The success of BIPA has motivated other states to pass their own versions of the law, which has already been done in Washington, Texas, Louisiana, Oregon, California and New York. Many have advised that when it comes to privacy, having fifty strict state laws are better than one weak national law, which would be much harder to achieve considering the lack of bipartisanship in Congress right now. 

Senators Bernie Sanders and Jeff Merklee have proposed a National Biometric Information Privacy Act to Congress in August of 2020 and have yet to hear back from the judiciary committee. With Illinois as an example, it may be up to us on a state level to urge our local politicians to pass their own versions of BIPA and protect our digital privacy. 

Works Cited:

Tillman, Maggie. “What Is Apple Face ID and How Does It Work?” Pocket-Lint, 2 Feb. 2021, www.pocket-lint.com/phones/news/apple/142207-what-is-apple-face-id-and-how-does-it-work.  

Horowitz, Julia. “Amazon and Microsoft Stopped Working with Police on Facial Recognition. For Others It's Still Big Business.” CNN, Cable News Network, 3 July 2020, www.cnn.com/2020/07/03/tech/facial-recognition-police/index.html.  

O'Sullivan, Story by Donie, and John General. “This Man Says He's Stockpiling Billions of Our Photos.” CNN, Cable News Network, 10 Feb. 2020, www.edition.cnn.com/2020/02/10/tech/clearview-ai-ceo-hoan-ton-that/index.html.     

Link, Terry. “Biometric Information Privacy Act, 740 ILCS 14.” Illinois General Assembly, 3 Oct. 2008, www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57.  

Ovide, Shira. “The Best Law You've Never Heard Of.” The New York Times, The New York Times, 23 Feb. 2021, www.nytimes.com/2021/02/23/technology/the-best-law-youve-never-heard-of.html?searchResultPosition=3.  

Argentine, Kristine, and Paul Yovanic. “The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses.” JD Supra, 9 June 2020, www.jdsupra.com/legalnews/the-growing-number-of-biometric-privacy-62648/.

Merkley, Jeff, and Bernie Sanders. “S.4400: National Biometric Information Privacy Act of 2020.” Congress.gov, 116th Congress (2019-2020), 3 Aug. 2020, www.congress.gov/bill/116th-congress/senate-bill/4400.