How Illinois Wins in the Fight Against Big Tech – Twin Cities
Facial recognition company Clearview AI agreed last month to stop selling its huge database of photographs pulled from the internet to private companies across the United States. The decision is the direct result of a lawsuit in Illinois, a demonstration that strict privacy laws in a single state can have nationwide ramifications.
The Illinois Biometric Information Privacy Act places strict limits on the collection and distribution of personal biometric data, such as fingerprints and iris and facial scans. Illinois law is considered one of the strictest in the nation, limiting the amount of data collected, requiring consumer consent and allowing consumers to sue companies directly, a right usually limited to the states themselves. . Although it only applies to Illinois residents, the 2020 Clearview case, brought by the American Civil Liberties Union, shows that effective laws can help rein in some of the most invasive practices. of Big Tech.
Tech companies are in a feverish race to develop reliable ways to automate the identification of people through facial scans, fingerprints, palm prints and other personal biometric data. The data is considered particularly valuable because unlike, for example, credit card information or personal addresses, it cannot be changed. But as these data companies profit from the deployment of technology in police departments, federal agencies and a host of private entities, consumers have no real guarantee that their personal information is protected.
Facial recognition software, in particular, has been shown to too often fail to identify people of color, in some cases leading to wrongful arrests and fears that the software could erect additional barriers for people seeking identity. a job, unemployment benefits or mortgages.
Because the United States lacks meaningful federal privacy protections, states have passed a patchwork of largely business-friendly laws. By contrast, Europe passed the General Data Protection Regulation six years ago, restricting the online collection and sharing of personal data, despite huge lobbying against it by tech companies.
Illinois law’s provision for individuals to sue companies, known as the private right of action, has led to hundreds of lawsuits, with surprising success. Google recently agreed to pay $100 million to settle a lawsuit for improperly using photos of Illinois residents, and the company said it will add new prompts to seek consumer consent to group photos. Pictures. Meta, the parent company of Facebook, will pay $650 million to settle a similar lawsuit filed in the state, and the parent company of video streaming platform TikTok, ByteDance, has agreed to terms of settlement regarding the allegations that she scanned and used biometric data without consent in Illinois. Snapchat is also facing a class action lawsuit in the state over its facial recognition practices.
“People don’t realize how much they’re giving to these companies,” said Faye Jones, a professor at the University of Illinois School of Law. “It’s not that hard for businesses to comply with Illinois rules.”
Tech companies, she said, have successfully lobbied for watered down or non-existent biometric data provisions in other states. In addition to Illinois, Washington and Texas — which is suing Meta for misuse of consumers’ personal data — have general laws governing the use of biometric identifiers, but those states do not grant a private right of action. Washington state has failed for three straight years to pass a comprehensive privacy bill, in part because of opposition to private right of action provisions.
And while much attention has focused on facial recognition, with local government agencies banning its use in several jurisdictions, including San Francisco and Minneapolis, in recent years tech companies have been honing their skills using other data. to identify people, in particular by combining information. like our cell phone locations, shopping data, fitness trackers, and license plate scanners, to name a few. A particular focus on facial recognition, while well-intentioned, eliminates the urgent need for sweeping consumer privacy reforms.
To those who wonder about the harm done by private companies such as Google and Amazon aggregating their biometric data: ask if the companies would sell or have sold this technology and information to foreign and domestic governments and others. other third parties.
Of course, not all data collection is inherently bad – it can help refine and improve the products we use for free every day – but biometric data can be too easily used to discriminate. Companies could simply buy data to infer race, gender, sexual orientation and other intimate details that could improperly influence credit companies or potential employers. Once this data ends up in the hands of data brokers and other analytics companies, it’s nearly impossible to get it all back.
The Illinois law demonstrates that strong laws can influence companies to change their policies in favor of consumers. Clearview, which had indicated its ambition to collect 100 billion photos from social media and other sources to facilitate facial scans, said it would stop working with Illinois police departments and others. government agencies for five years and would stop providing its database to most private companies in the country. — a blow to his business. It also gives Illinois consumers a clearer option to opt out of having their photos appear in Clearview search results.
Between the growing influence of tech lobbyists in Washington and our growing reliance on cellphones and tablets, consumers face an uphill battle against Big Tech. And outside of Illinois, they have very few protections against the worst excesses of data collection.
With Congress’s repeated failure to advance meaningful legislation, it may be up to states to help consumers regain some control over their own data.
Greg Bensinger writes for The New York Times.