Tech Companies Are Pushing Back Against Biometric Privacy Laws

They want your body.

Illustration: Oscar Bolton Green

Privacy advocates cheered when Illinois passed its Biometric Information Privacy Act (BIPA) in 2008 regulating commercial use of finger, iris, and facial scans. With companies such as Facebook Inc. and Google Inc. developing facial tagging technology, it was clear that laws would be needed to ensure companies didn’t collect and use biometric data in ways that compromised an individual’s right to privacy. If you lose your credit card, it’s easily replaced. But what happens when a company loses, or tries to profit from, your fingerprint?

Although the Illinois law was seen as a possible model for other states, aggressive lobbying by companies most interested in gathering biometrics has reshaped or killed similar efforts across the country. Only two other states have enacted biometric privacy laws—Texas, in 2009, and Washington, in May. Bills introduced in eight other states didn’t pass, leaving a regulatory chasm over data privacy across the U.S. In some states, like New York, agreeing on even a basic definition of biometrics to include in the proposals was a challenge. Congress and the White House remain committed to using biometrics in the interest of intelligence gathering and national security, while retail regulation has been limited to best practices’ guidance by the Federal Trade Commission.

The Washington law might be the best example of industry pushback on attempts to regulate biometric data. The measure, which takes effect on July 23, is a watered-down version of BIPA, at best, says Alvaro Bedoya, executive director of Georgetown Law’s Center on Privacy & Technology. It places fewer limits on the use of biometric data than BIPA while narrowing consumer consent requirements and allowing certain exemptions for images already online.

A law like Washington’s “hurts everyone,” says Pam Dixon, executive director of the World Privacy Forum in San Diego, and is “useless.” Adam Scwartz, staff attorney with the Electronic Frontier Foundation in San Francisco, describes it as “a facial recognition law that doesn’t protect people from facial recognition. … There are companies whose business model is collecting biometric information without consumer consent.”

Jeff Morris, the state representative who sponsored the Washington bill, says balancing consumer privacy with the rights of companies that develop new technologies—crucial, given the number of tech companies in the state—was a challenge. “One of the things that was tough was this juxtaposition about being tech neutral and businesses being able to evolve. It took three years to get there,” he says.

Industry groups representing the likes of Google, Facebook, Inc., and Wal-Mart Stores Inc. have used various arguments to defeat or weaken proposals. The lobbyists point to what they say are practical benefits in using facial recognition, allowing them to develop new technologies for marketing and security. Strict laws can even encourage fraud, some industry groups say, because businesses will avoid using biometric data for fraud and security detection purposes. That carries a “huge risk of costly class action,” according to a letter from a five-member coalition that successfully lobbied this spring to defeat a Montana bill. That measure, the group said, “imposes highly specific notice and consent requirements that would make it unworkable to obtain consent for positive users of biometric data.”

The Illinois law caught the industry off-guard in 2008 when a company called Pay By Touch, possessing a mountain of fingerprint data, filed for bankruptcy. When the company considered liquidating its assets, including its biometric database, alarm bells over data privacy went off from Chicago to the capital in Springfield, prompting the state’s general assembly to pass BIPA. It quickly became a thorn in the side of the nation’s tech giants and spurred several lawsuits.

Three cases filed against Facebook have fought to limit the company’s use of its facial tagging tool, claiming the social media giant “secretly amassed the world’s largest privately held database of consumer biometric data.” As the plaintiffs’ case cleared procedural hurdles in court, Facebook’s representatives lobbied a long-serving Illinois state senator to propose an amendment to rewrite BIPA. While the amendment was ultimately withdrawn, the industry’s plan to influence regulation became evident. Facebook did not respond to a request for comment.

Meanwhile, companies such as Apple Inc. are making greater use of biometrics. The company is working on a way for iPhone users to unlock devices using their face. Amazon Web Services Inc. has an image-matching software that recognizes objects, faces, and themes. It makes a database of billions of images available to customers, mostly security companies and marketers. An Apple spokesman declined to comment; Amazon did not respond to a request for comment.

Georgetown’s Bedoya fears regulation won’t be approved until it’s too late—once a company has already connected all of the photos on the internet and linked them to facial recognition technology. “Once that happens, someone’s son or daughter is going to be identified by a stranger while walking through the mall or grocery store or just on their way to school,” he says. “That’s when Congress and legislatures will wake up to the fact that we’re not ready for this technology.”

Biometrics Regulation: The State (by State) of Play

  • Illinois The law requires companies to get users’ permission to collect and store iris, fingerprint, voice, or facial scans. More than 30 lawsuits citing the statute have been filed in Illinois courts, including a trio of cases against Facebook that are testing the scope of the law and shaping ­proposed legislation across the country.
  • Texas Passed in 2009, the state’s biometric identifiers statute restricts legal action to the state’s attorney general; individuals can’t sue. The AG’s office hasn’t filed any lawsuits stemming from the law.
  • Washington The statute creates privacy exemptions for certain photos and restricts the right to legal action to the state’s attorney general; individuals can’t sue. Companies can use fingerprints, eye scans, or facial photos, which aren’t protected.
  • California Lawmakers in Sacramento proposed a biometric information privacy bill in 2015. The proposal would have required businesses that collect personal data to protect it from misuse. The measure passed the state assembly; it never made it to a senate vote.
  • Connecticut A bill requiring written notice from consumers whose biometric information would be collected was approved by the state’s house of representatives in 2016 but never made it to the senate. A similar measure proposed earlier this year didn’t get out of committee.
  • Montana A BIPA-like bill proposed strict rules for consent but didn’t make it out of committee. Industry groups said companies wouldn’t meet the consent requirement. “About five seconds before the hearing started, a lobbyist told me they were going to kill the bill, and they did,” says sponsor Nate McConnell. 
  • Arizona, Missouri Bills were proposed this year to protect students’ rights to privacy. They didn’t make it out of committee.
  • Alaska, New Hampshire, New York All three states put forth proposals—Alaska’s and New Hampshire’s were modeled after BIPA—that failed to make it out of committee. New York tried and failed twice.
    Before it's here, it's on the Bloomberg Terminal.