US state stands out by restricting corporate use of biometrics: Illinois
ST. LOUIS, September 16 (Reuters) – As night fell, an employee of a busy 24-hour MotoMart flipped a switch behind the counter.
Electromagnetic locks closed the door. A window sign, now illuminated in red, warned “facial recognition technology in use” and urged customers to “look at the camera.”
On this recent weekday evening, a woman who wanted cigarettes was locked out. Confused at first, she soon realized she needed to remove her medical mask. After his unobstructed facial image was scanned into a store computer and then compared to the company’s photographic records of former customers convicted of store-related crimes, the doors opened.
Just a few miles away, across the Illinois state border from Missouri, such filtering is against the law under the country’s toughest privacy laws. Private companies must obtain written consent before storing facial images or any biometric identifiers – fingerprints, palms, eyes and voices.
The contrast is testament to the digital privacy divide in the United States. On one side is Illinois, along with two other states and several US cities that currently require some form of public disclosure or consent for biometric screening. On the other, the rest of the country, including Missouri, where private sector uses are generally unlimited.
Illinois law prohibits businesses and private sector institutions from collecting biometric data from unsuspecting citizens of the state or online, regardless of where the business is based. Data cannot be sold, transferred or traded. Unlike any other state, citizens can sue for alleged violations, which has sparked hundreds of legal battles between David and Goliath against some of the world’s most powerful corporations.
A Reuters review of nearly 750 individual and class actions filed in Illinois since 2015 has found ample evidence that private companies, without disclosure or consent, have collected, marked and categorized biometric data gleaned from millions of Americans. unsuspecting. Most of the lawsuits have been filed since 2019, when the Illinois Supreme Court, in a sweeping decision, ruled that plaintiffs do not have to show prejudice to collect damages.
Privacy advocates warn that the rapid and largely uncontrolled growth of these tracking technologies has overtaken existing laws in most states, leaving individuals vulnerable to identity theft, invasion of privacy and breaches. discriminatory practices. Unlike a credit card or driver’s license, a person’s biometric data is unique and cannot be changed or replaced.
The MotoMart system is designed to protect privacy with tamper-proof software that prohibits owners from importing or exporting biometric data involving an outside source, said Thomas Sawyer, a retired St. Louis Police Detective. He co-founded Blue Line Technology, LLC, which created the store’s facial recognition system, along with a group of former and active law enforcement officers.
“We want people to know that they are being watched,” he said. “That’s why we have signs and a flashing light.”
Court records show that many companies use biometric systems to track employee and student performance or monitor customers to develop marketing and sales strategies. The lawsuits detail how companies or institutions allegedly used a fingerprint database of theme park visitors, including children, to look for signs of ticket fraud; examined the eye movements and typing cadence of college students for signs of cheating; and monitored employee interactions – who they spoke to and for how long – and the frequency of their bathroom breaks.
Cases are also pending against global web giants including Amazon.com Inc (AMZN.O), Apple Inc (AAPL.O) and Alphabet Inc’s Google (GOOGL.O), as well as physical companies such as McDonald’s. Corp (MCD.N). The food chain is accused of recording the voices of some drive-thru customers to track purchasing habits, according to the lawsuit. Complaints against the four companies are pending. All four declined to comment.
In court documents, Amazon, Apple and Google have denied any violation of Illinois law, saying privacy disclosures are provided to all users. Also in court records, McDonald’s disputed the charges against the company and claimed that the voice data was used for training purposes and “not to identify individual speakers.”
If a business is found to have violated Illinois law, citizens can levy civil penalties of up to $ 5,000 per violation, compounded by the number of people involved and the days involved. No state regulatory body is involved in the enforcement.
Some companies have opted for structured settlements. Facebook settled $ 650 million last year over accusations the social media giant collected millions of face photos without proper consent. Earlier this year, ByteDance, parent company of China-based Tik Tok, settled $ 92 for similar claims. Neither company admitted wrongdoing and neither responded to Reuters requests for comment.
At least half of the pending actions concern regional or local companies. A verdict or court settlement – even for violations that have not resulted in measurable harm – could be financially crippling and lead to layoffs, said Jack Lavin, chief executive and chairman of the Chicagoland Chamber of Commerce.
“Illinois law has been militarized,” he said. “It created a cottage industry to sue businesses.”
The Institute for Legal Reform at the United States Chamber of Commerce calls Illinois a “judicial hell.”
FINGERPRINT AT THE GROCERY STORE
It seemed like a science fiction idea: to use a fingerprint reader to shop for groceries. But in 2008, a California company burst into Illinois with such a futuristic online marketing pitch: “Imagine this. At the checkout, you place your finger on a small scanner. Instantly you see a list of your payment accounts on one screen, checking account, credit or debit card… no cards, checks, cash – no hassle.
Shortly after the buyers’ registration, the company declared bankruptcy. Court records revealed that the company planned to liquidate inventory, including the fingerprint database, to outside companies.
The Illinois Chapter of the American Civil Liberties Union took action and sponsored legislation that became the Illinois Biometric Information and Privacy Act, or BIPA. The California company’s fingerprint database was destroyed.
“We are not trying to ban the technology,” spokesman Ed Yohnka said. “We want to put in place protections to control, manage, inform and obtain consent. “
Only two other states currently have comprehensive biometric privacy laws. Texas and Washington regulate compliance through a government agency, such as an attorney general, according to a Reuters study of state records. However, the laws of both states are generally viewed as weaker than the Illinois mandates by privacy advocates; agencies often seek voluntary reform if violations are proven. California will implement more comprehensive privacy protections in 2022, which will limit how data is collected and create a new state regulatory agency focused on consumer privacy laws.
Meanwhile, pro-business groups are fighting to change Illinois law.
In January, the Chicago Chamber of Commerce sponsored legislation to ease financial penalties and eliminate citizens’ right to sue, known in legal parlance as a “private right of action.” The measure failed due to lack of support.
“WE COULD DO ALL KIND OF THINGS WITH THIS! “
The Missouri MotoMart was the first store in the country to install the surveillance lock device created by Blue Line. The company represents one of dozens of fledgling companies in America struggling to find a place in the facial recognition industry, focusing on small businesses with tight budgets.
Blue Line was launched in 2015 after Sawyer visited his friend, Marcos Silva, a former military software programmer who now works as a St. Louis Police Detective.
“Do you want to see something in my garage?” Sawyer remembers asking Silva.
Silva presented a prototype facial recognition program. Sawyer said he blurted out, “We could do all kinds of things with this!”
Today, Blue Line oversees about 50 systems, which cost about $ 10,000 each, at convenience stores and gas stations in 12 states. A private Catholic high school on the outskirts of St. Louis also uses the Blue Line system to verify the identities of students before they can enter the building.
But Blue Line faces a changing regulatory landscape. A Portland store ditched its system after city council voted to ban private sector use of facial recognition from this year. The ban does not apply to government or law enforcement.
Dozens of cities are now weighing new biometric restrictions. New York City modeled much of its new privacy law this year on that of Illinois; companies are required to publicly and prominently disclose when biometric systems are used.
Cities should “take a break” from allowing biometric technologies until laws demand public transparency and corporate accountability, said Alan Butler, executive director of the Washington DC-based Electronic Privacy Information Center.
Without legal guarantees, he said, real-time facial recognition systems like the one developed by Blue Line represent a “systemic threat to privacy.”
But Sawyer said he has proof that Blue Line’s program works. He showed Reuters a six-second video from July 2018 at an AM / PM convenience store in Yakima, Washington.
At 1:20 am, two young men wearing ski masks rushed to the front door of the store. The two appeared to be holding handguns under dark clothing. A man pulled the handle of the door, which was locked by the Blue Line system. The two men turned and ran.
Kush Hans, the store owner, said he installed the Blue Line system in 2017 after a masked thief shot dead a 25-year-old employee, a relative of the family.
Since facial recognition was installed, there have been no more thefts, he said.
Michael Berens reported from St. Louis and Chicago. Editing by Julie Marquis
Our Standards: The Thomson Reuters Trust Principles.