The lone strong biometric privacy law in the United States has struck again, this time taking $68.5 million from Instagram in a settlement for a class action first filed nearly three years ago.
Some other states have elements of biometric privacy law, but none are as comprehensive as Illinois or as demanding about express user consent for collecting such data. The suit is open to Instagram users that were active on the platform between August 10, 2015 to the present, and Meta has already been fined in the state for similar issues with Facebook.
Illinois biometric privacy law costs big tech firms big money
Passed in 2008, the Illinois Biometric Information Privacy Act forbids the collection of facial scans without informed consent. The suit alleges that a facial recognition feature introduced by Instagram in 2015 violated the law, by collecting biometrics to find other pictures and videos the user might appear in that were hosted on Instagram and Facebook.
Instagram maintains that it is not guilty and that the system is not actually “facial recognition” as defined within the bounds of the law. The feature remained in place until November 2021. Instagram users can file a claim until the September 27 cutoff date. The claim amounts are yet to be determined and will depend on how many people file and how long the individual used Instagram, but the similar recent Facebook settlement saw some people receive checks of up to $425. Up to four million are estimated to be eligible for payments, pending the final approval hearing on October 11.
The stringent biometric privacy law has also snagged Google and Snapchat, both of which paid similar settlements in 2022. Google paid only $100 million and Snap paid just $35 million, however, due in part to smaller user bases for the impacted services. Claimants in the Google case ended up receiving payments of about $95 each.
State biometric privacy laws remain few and far between, federal law remains thin
The Illinois biometric privacy law is noteworthy not just in the scope of its coverage, but also its penalties: up to $1,000 per violation or $5,000 if the incident is deemed intentional or reckless. Companies must not only obtain clear user consent, but also destroy unused biometric identification markers within a prescribed amount of time and keep them properly secured from hackers and leaks while held. In addition to the suits against assorted tech platforms that scan facial pictures for biometric information, Six Flags has been sued in the state for using visitor fingerprints without informed consent.
Nothing else in the US compares in terms of biometric privacy law, but some states are farther along than the federal government is. There is existing legislation of some sort in six other states at present, but none provides both the same public right to action and the same high level of maximum penalty. Legislation has been proposed in 17 other states but only Tennessee, New York, Nevada, Minnesota, Massachusetts, Maine, Kentucky, Hawaii and Arizona are currently considering bills that compare to the terms of the Illinois BPA.
The federal government’s best recent effort has been the National Biometric Information Privacy Act of 2020, introduced by Senator Jeff Merkley in August 2020. This bill would actually grant broader protections than the Illinois BPA terms, but has yet to be taken up in any meaningful way.
Recently, some federal regulatory bodies have taken it upon themselves to fill certain persistent gaps in data privacy and security law, at least to the extent that their present authority allows. The FTC may be eyeing that role for itself with biometric privacy law, announcing in mid-May that if these technologies cause harm to consumers or make use of deceptive or unfair practices they may be found in violation of the FTC Act. The agency has established that companies using these technologies have a responsibility to assess foreseeable harms to consumers, promptly address known risks, ensure data collection is not “surreptitious” or “unexpected,” provide appropriate privacy training for employees and contractors, and ensure that third party contractors are held to the same standard.
The European Union’s General Data Protection Regulation (GDPR) is generally regarded as the global “gold standard” for biometric privacy law, forbidding processing for the purpose of uniquely identifying individuals unless the purpose falls into a narrow set of authentication and security exemptions. Some nations in the bloc tack on their own additional laws, such as Portugal, which entirely outlaws the creation of biometric databases. US federal law is lagging behind even countries such as Turkmenistan. Despite being notorious for internet shutdowns and developing government-run email and messaging services, the small Central Asian nation has a data protection law on the books that regards biometric data as sensitive personal information and strictly limits the use of it.