Technology has created new concerns around privacy that previous generations would never have thought of. The old days of keeping a social security number locked in a safe along with other sensitive information are a thing of the past, and new technological developments have necessitated new techniques to keep user privacy safe.
About Biometric Data
Biometric data is a fairly new phenomenon, becoming commercially viable only within the last decade or so. The idea of eye readers and fingerprint scanners is nothing new, being featured in many forms of media and entertainment.
With the rise of new forms of identification, concerns about user privacy have become more and more important. Social security numbers and other forms of identification data that are listed on paper are significantly easier to keep private, compared to data such as fingerprints or facial recognition.
A Lawsuit out of Illinois
It is this fact that has centered around a new lawsuit that has come out of Illinois. A class action lawsuit was recently filed against Target, accusing the company of collecting her biometric data – including face and fingerprint scans – without her permission.
This is in direct violation of the Biometric Information Privacy Act (BIPA), a law that was enacted in 2008. It states that companies in Illinois are prohibited from collecting, storing, or giving out biometric information without obtaining prior permission from the owner of the biometric information.
Other States with BIPA Regulations
Illinois is by no means the only state to implement biometric identifiers. Other states that have done this include Texas, New York, and Washington with Florida on track to follow suit later this year in July.
These laws have been implemented due to the sensitivity of biometric data. Other forms of personally identifiable information such as social security numbers can be changed in the event of identity theft, but biometric data such as face scans, fingerprints, or voice recordings are not so easily changed.
A Solution to Identity Theft?
Now, biometric data was initially conceived in part as a solution to combat issues that arise with identity theft. Carelessness surrounding a social security number or a lost driver’s license can leave many individuals vulnerable to having their personal information stolen.
The way biometric data combats this is by analyzing the specific traits that are unique to the individual’s makeup, such as vein patterns in a palm, vocal pitches, retina details, and even the shapes of ear canals.
Target Stealing Biometric Information
These are factors that are much more difficult to replicate or steal than a social security number. They’re also significantly more dangerous to the individual when they are stolen. Socials can be changed, but fingerprints cannot.
It is this issue that is at the heart of the lawsuit against Target in Illinois. Arnetta Dean, the plaintiff in the class action suit, has claimed that Target stored her personal biometric data, including her face and fingerprint scans, in violation of BIPA.
Surreptitious Collection of Data
The lawsuit was filed last month in Cook County, and claims that Target’s surveillance systems, including cameras with facial recognition technology, “surreptitiously collected biometric data on customers without their knowledge or consent.
“Target does not notify customers of this fact prior to store entry, nor does it obtain consent prior to collecting its customers’ Biometric Data,” the lawsuit claims.
Companies are Prohibited
BIPA states not only that companies in Illinois are prohibited from collecting biometric data, but also that they are required to inform individuals of the specific purpose and duration of their data collection, when prior permission is obtained by the companies.
They also must state where the information will be stored, and when the information will be destroyed. This is because, like social security numbers, biometric data can be stolen from digital databases by skilled hackers, and can create significant vulnerabilities for individuals should their information be compromised.
Failure to Comply
The lawsuit says that Target failed to comply with the requirements laid out by BIPA. Under BIPA, individuals have a private right of action to file a lawsuit for violations of the act, with potential damages ranging from $1000 for negligent violations to $5000 for intentional or reckless violations, as well as attorneys’ fees and injunctive relief.
Dean’s lawsuit is attempting to prove just that. She is seeking $5000 for “each and every intentional reckless violation” of the law, or statuary damages of $1000 for any violation found to have been committed negligently, along with attorneys’ fees and other litigation expenses.
Claims of Data Being Unlawfully Taken
According to the lawsuit, Target’s “advanced system of electronic surveillance” includes operating 14 investigation centers and two forensic labs to “enhance video footage and analyze fingerprints.”
It is through this system of surveillance that Dean believes that her data was unlawfully taken. While the lawsuit doesn’t contain any proof that the information was used in an improper manner, the violation of BIPA still stands, and she is entitled to compensation due to it.
Other Companies Under Fire
Target is not the only company who has faced class action lawsuits for violation of BIPA laws in recent years, either. In 2021, Facebook was accused of violating the law, which ultimately led to a $650 million settlement for the users whose information was violated.
In that lawsuit, more than a million Facebook users in Illinois received checks for nearly $400 each, as a part of the settlement. In the grand scheme of things, this is very small compensation for the potential of losing control over biometric data, but it was compensation nonetheless.
Illinois was the First
Illinois was the first state to enact a comprehensive biometric privacy law, and despite other states following suit in the years since, the Illinois BIPA is still the most comprehensive law of its kind.
More than 2000 lawsuits have been filed under BIPA since 2018, according to data reported by NPR. The first class action lawsuit filed under the law occurred in 2015, and the court has since clarified that a five-year statute of limitations applies to most BIPA violations.
Fewer Lawsuits in Other States
Other states with biometric data privacy laws aren’t generating the same number of lawsuits seeking damages as the ones that are taking place in Illinois. This is because the laws in other states are a little more limited in scope, and there is no private right to action under the other laws.
Additionally, according to a 2019 Illinois Supreme Court decision, plaintiffs in data privacy lawsuits don’t have to show harm to be considered aggrieved under the law. Cases have been seen where there was no actual harm done to the plaintiff, and many experts believe that more of these types of suits are on the way.
More BIPA Laws in the Future
Developing technology will see more of these types of laws being put on the books in order to protect Americans. Keeping personal and biometric data safe will become more and more important as the years go on and as technology advances, and the laws of cities, states, and countries will need to progress along with technology.
Lawsuits surrounding biometric data are a wakeup call for companies seeking to collect, use, or store the data of Illinois residents. Compliance isn’t difficult, though, and avoiding the type of bad press these lawsuits bring will be of utmost importance for these companies, in the grand scheme of public relations and positive social sentiment.