Biometrics privacy push coming to states in 2023

Often touted as a security feature and convenience for consumers, critics argue it is also an invasive tool that companies use to identify and track consumers.
A giant KIA video screen advertises facial recognition in prototype vehicles as patrons walk past at CES International Wednesday, Jan. 9, 2019, in Las Vegas. (AP Photo/Ross D. Franklin)

Civil libertarians and digital rights groups are gearing up to convince more states to adopt Biometric Information Privacy Act laws to regulate how companies deploy facial recognition and other biometrics-based technologies.

The rapidly growing use of biometrics is often touted as a security feature and convenience for consumers, but critics argue it is also an invasive tool that companies use to identify and track consumers.

This year, lawmakers in California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York pushed biometric privacy legislation, according to tracking by the law firm Troutman Pepper. The issue is expected to come up in several more states in 2023.

“I think there is a fairly good chance that at least 20% of the state legislatures are going to introduce BIPA bills,” said Chad Marlow, a senior policy counsel at the American Civil Liberties Union, who called that “a massive jump.”

Marlow said the ACLU is engaging in a coordinated, multi-state effort on the issue of biometric privacy, a topic that has attracted bipartisan interest and cuts across traditional red state-blue state fault lines.

The sponsor of the Maine bill, state Rep. Margaret O’Neil (D), said her proposal, which died at the end of the legislative session, is likely to return in 2023.

“This is a big deal for all of us, it affects the kind of society we live in,” O’Neil said. “It’s your fingerprint or your face or your gait.”

In Montana, state Sen. Ken Bogner (R), chair of the Economic Affairs Interim Committee, said he is in the process of drafting a state constitutional amendment to establish biometric data as a person’s individual property.

“If a company sees that it is in the Constitution, they’ll take it more seriously, and that’s a message we want to send,” Bogner said.

Bogner said the Montana legislature is likely to consider legislation in 2023 to restrict the use of facial recognition by law enforcement and other government entities. Maine passed a similar law last year.

Biometric data is particularly sensitive because, unlike a password that can be changed, it is based on a person’s immutable characteristics like their facial features, eyes, fingerprints or voice.

Illinois, Texas and Washington have already passed stand-alone biometric laws to address the collection of such things as faceprints, fingerprints and retinal scans by nongovernmental entities. Other states, such as California, have included biometrics provisions in their broader consumer digital privacy laws.

The Illinois law is the nation’s oldest and the one that privacy advocates point to as a model — in large part because it includes a private right of action, meaning individuals, not just the state, can sue under the law.

Texas’ Capture and Use of Biometric Identifier Act from 2009 is similar but lacks the private right of action and remained unenforced until earlier this year.

“The evidence is pretty strong that a private right of action is pretty crucial to having an effective BIPA law,” Marlow said.

Since it was enacted, Illinois’ BIPA has spawned hundreds of lawsuits resulting in hundreds of millions of dollars in fines and penalties.

In May, the ACLU announced a settlement in a lawsuit brought under the Illinois law against Clearview AI, a facial recognition company that boasts a database of more than 30 billion facial images from around the world. Under the settlement, Clearview is restricted from selling its data to private entities in the U.S.

Facebook, Google, TikTok and Snapchat have also run afoul of Illinois’ law.

The ACLU has drafted model biometric privacy legislation that includes a private right of action and establishes a $5,000 fine for each intentional or reckless violation. The model statute requires companies to obtain written permission to collect and use biometric data, limits how long companies can retain the data, restricts the sale of the data and gives consumers the “right to know” what data a company has collected about them.

But the push to export Illinois’ law to other states faces opposition from the tech industry.

“We support [giving consumers] notice, we think you should be able to give users the opportunity to control the sharing of who gets access to [their data] — absolutely. But the Illinois bill is such a brute force approach that doesn’t work in reality,” said Carl Szabo, vice president and general counsel for the center-right tech trade group NetChoice.

Szabo criticized the Illinois law as a magnet for lawsuits and said biometric regulations can have unintended consequences. He gave the example of Google’s NestCam which does not offer its “familiar face alert” feature to customers in Illinois.

“What you are starting to see is a lot of useful services are disallowed in the state of Illinois,” Szabo said.

Chamber of Progress, a center-left tech industry group, raised similar concerns this year about a biometric bill under consideration in California.

“Unfortunately, the bill’s approach could threaten the safety and security of California’s residents, and could deny Californians other benefits of technological advances in biometrics,” the group said in a letter to the chair of the Senate Appropriations Committee.

O’Neil, the Maine lawmaker, said she is unpersuaded by these arguments.

“Companies always try to distract us with small conveniences so that we don’t pay attention to the big picture,” O’Neil said.

Of particular concern to privacy advocates is the potential for biometric data to be misused, stolen or end up in the hands of the government. Those concerns have been amplified in the wake of the U.S. Supreme Court’s decision in June to overturn Roe v. Wade, resulting in abortion bans in more than a dozen states.

“It’s only a matter of time until they try to get their hands on biometric data in their efforts to identify and punish abortion seekers,” said Adam Schwartz, assistant director at the Electronic Frontier Foundation, which is also advocating for biometric privacy laws.

Marlow, the ACLU privacy expert, said the Dobbs v. Jackson Women’s Health Organization case has broad implications but is “not a major factor” in the push for biometrics legislation in the states.