To defend our privacy, biometrics law must be protected

Sometimes, what the Legislature doesn’t enact can be as important as what it does.

For another session, the Illinois Legislature has wisely neither repealed nor weakened a pioneering law that protects the biometric information of each of the state’s residents, the Biometric Information Privacy Act. The Legislature stood firm even though many big tech companies would like to boot the law into cyberspace.

Individuals’ thumbprints, retinas, irises and faces become biometric information once they are stored digitally. Companies can profit when they use or sell the data. But if the data falls into the hands of criminals who scoop it up on the dark web or through data breaches, it could make ordinary identity theft look like a parking ticket. Unlike getting a new credit card number, biometric data can’t be changed.

BIPA requires entities that collect biometric information to notify people they are collecting it, say how it will be used and obtain their approval. It was the country’s first such law and remains the most stringent. On Tuesday, a federal judge ruled it doesn’t exclude photo-derived facial recognition.

But as reasonable as the law is — companies can collect the information, but they have to be open about it — it keeps popping up in lawsuits.

On Thursday, Google settled a $100 million class-action privacy lawsuit that alleged Google didn’t get users’ consent for a tool that sorts faces in its Google Photos app by similarity.

Last month, the U.S. Ninth Court of Appeals allowed a settlement to go forward in a lawsuit that claimed Facebook violated BIPA by collecting and storing users’ biometrics as part of its “tag suggestions” and other features involving facial recognition technology.

In February, Tiktok’s parent company agreed to pay $92 million to settle claims that it violated BIPA by not getting consent to collect facial and fingerprint scanning and other biometric information.

Although none of the companies admitted wrongdoing, these settlements raised hope that we can avoid a future in which each of us is tracked throughout our lives by our unique physical characteristics. People shouldn’t have to constantly dig through ever-changing privacy settings in all kinds of apps to try to protect their biometric information.

Efforts are underway in Congress to protect biometric information. Encouragingly, some federal lawmakers are even talking about banning businesses from abusing customers’ biometric information. A strong federal law that doesn’t weaken protections provided by the states would be ideal. But nothing has passed at this point.

Illinois’ law could be tweaked to improve it, but first, opponents must agree to negotiate rather than just try to get rid of it.

Our privacy depends on it.

Send letters to letters@suntimes.com.