The facial recognition company Clearview AI agreed in a settlement this month to stop selling its massive database of photographs culled from the internet to private firms across the United States. That decision is a direct result of a lawsuit in Illinois, a demonstration that strong privacy laws in a single state can have nationwide ramifications.
The Biometric Information Privacy Act of Illinois sets strict limits on the collection and distribution of personal biometric data, like fingerprints and iris and face scans. The Illinois law is considered among the nation’s strongest, because it limits how much data is collected, requires consumers’ consent and empowers them to sue the companies directly, a right typically limited to the states themselves. While it applies only to Illinois residents, the Clearview case, brought in 2020 by the American Civil Liberties Union, shows that effective statutes can help bring some of Big Tech’s more invasive practices to heel.
Technology companies are in a feverish race to develop reliable means to automate the identification of people through facial scans, thumbprints, palm prints and other personal biometric data. The data is considered particularly valuable because unlike, say, credit card info or home addresses, it cannot be changed. But as these data companies profit by deploying the technology to police departments, federal agencies and a host of private entities, consumers are left with no real guarantees that their personal information is protected.
Facial recognition software, in particular, has been shown to fail too often at identifying people of color, leading in some cases to wrongful arrests and concerns that the software could put up additional barriers to people seeking jobs, unemployment benefits or home loans.
Because the United States lacks meaningful federal privacy protections, states have passed a patchwork of laws that are largely favorable to corporations. By contrast, Europe passed the General Data Protection Regulation six years ago, restricting the online collection and sharing of personal data despite a tremendous lobbying push against it by the tech companies.
The Illinois law’s provision allowing individuals to sue the companies, known as a private right of action, has led to hundreds of lawsuits, to surprising success. Google recently agreed to pay $100 million to settle a lawsuit that it had improperly used Illinois residents’ photos, and the company said it will add new prompts to seek consumers’ consent to group photos together. Meta, Facebook’s parent company, will pay $650 million to settle a similar lawsuit filed in the state, and the video streaming platform TikTok’s parent company, ByteDance, agreed to settlement terms over claims that it scanned and used biometric data without consent in Illinois. Snapchat is also facing a class-action lawsuit in the state over its facial recognition practices.
“People don’t realize how much they’re just giving away to these companies,” Faye Jones, a professor at the University of Illinois College of Law, said in an interview. “It’s not that difficult for companies to comply with Illinois’s rules.”
Tech companies, she said, have successfully lobbied for watered down or nonexistent biometric data provisions in other states. In addition to Illinois, Washington and Texas — which is suing Meta for misuse of consumers’ personal data — have broad statutes governing the use of biometric identifiers, but those states do not grant a private right of action. Washington State has failed for three years running to pass a comprehensive privacy bill, in part because of opposition to private right of action provisions.
And while much attention has focused on facial recognition, with local government agency bans on its use in multiple jurisdictions, including San Francisco and Minneapolis, in recent years, technology firms are honing their skills at using other data to identify people, particularly by combining information like our mobile phones’ locations, purchasing data, fitness trackers and license plate scanners, to name a few. A singular focus on facial recognition, while well intentioned, elides the urgent need for broad reforms over consumer privacy.
To those who question the harm of private firms like Google or Amazon aggregating their biometric data, consider whether the companies would sell, or already have, that technology and information to foreign and domestic governments and other third parties.
Of course, not all data collection is inherently bad — it can help refine and improve the products we use for free every day — but biometric data can be far too easily used to discriminate. Companies could simply purchase data to infer race, gender, sexual orientation and other intimate details that can improperly influence credit firms or potential employers. Once that data has found its way into the hands of data brokers and other analytics firms, it is next to impossible to recover it all.
The Illinois statute demonstrates that strong laws can induce companies to change their policies in favor of consumers. Clearview, which had indicated an ambition to collect 100 billion photos from social media and other sources to aid in facial scans, said it will stop working with Illinois police departments and other government agencies for five years and halt providing its database to most private businesses nationwide, a major blow to its business. It is also giving Illinois consumers a clearer option to opt out of having their photos appear in Clearview search results.
Between the growing influence of technology lobbyists in Washington and our increasing reliance on mobile phones and tablet computers, consumers are facing an uphill battle against Big Tech. And outside of Illinois they enjoy precious few protections from the worst excesses of data collection.
With Congress’s repeated failure to advance any meaningful legislation, it may be up to states to help consumers wrest back some control over their own data.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: [email protected]
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.