Would you care if a store used facial recognition to track you as you shopped? If it could link your face to your credit card and know not just what you bought, but also what you looked at?
Data I’ve gathered on consumer sentiment suggests that many people do mind being tracked through their biometrics. In one study I conducted, 77 percent of people expressed interest in a coffee shop customer loyalty program that worked by ID card, but only 47 percent were interested if the same program tracked people with fingerprints or facial recognition.
Illinois is one of the very few states that prohibits companies from collecting and using biometric information without permission. And the Illinois Supreme Court heard oral argument in a case that may decide how vigorously that legal protection will be enforced.
The case concerns Illinois’ Biometric Information Privacy Act. This 2008 law prohibits companies from collecting your biometric information without your informed consent.
As laws go, it is fairly simple. Companies need to get permission in writing before they can collect biometric identifiers like fingerprints, voiceprints or scans of facial geometry. They then must keep the biometric information safe, and, once it has served its purpose, they must destroy it.
The problem with the law is that companies were sloppy about getting consent. Many employers used biometric timekeeping. They can do this under the law, but only if they have their employees sign consent forms. And many companies didn’t.
Other companies have scanned user-uploaded photos and created vast databases of facial recognition information. Not all those companies kept their paperwork in order either. So there has been a flood of lawsuits nationwide since 2015.
The first case from that flood has now reached the Illinois Supreme Court. In Rosenbach vs. Six Flags Entertainment Corp., plaintiff Stacy Rosenbach alleges that when she purchased a season pass for her son to attend Six Flags Great America in Gurnee, Illinois, in 2014, he had to get his thumb scanned to access the park. Rosenbach is alleging that Six Flags didn’t provide the kind of information, and get the kind of consent, that it needed to under the law.
Last week, Kathleen O’Sullivan, the attorney for Six Flags, argued that many of these lawsuits are “no injury” suits. Sure, the information has been collected without appropriate permission, but no one has been hurt (yet). To be allowed to sue under the statute, a person must be “aggrieved,” and, in her view, the mere collection of biometric data without consent isn’t enough by itself.
What’s the harm right now? That depends. Do you mind if a store tracks you as you shop? If you do, then the harm is the collection of your biometric information. Full stop, that’s enough.
As Phillip Bock, attorney for the plaintiff, explained, the legislature was “empowering people to make their own decisions about what happens with their biometrics.” It is easy to get biometric information. So, absent the law, there is nothing to stop companies from obtaining this kind of biometric information and using it to track customers. Why wouldn’t they?
My data suggest that this kind of biometric tracking worries people, and that there is indeed harm just from having biometric information collected. And people aren’t crazy to be skeptical of biometric technology. Though the United States hasn’t yet pushed biometrics to its limits, the Chinese government has already linked facial recognition to its vast network of surveillance cameras. We’re unlikely to follow their example and use facial recognition to punish jaywalking in Chicago, but there is a lot of money to be made from targeted marketing.
Is that a future we want?
Matthew B. Kugler
Matthew B. Kugler is an assistant professor of law at Northwestern Pritzker School of Law with an interest in issues of intellectual property, privacy and criminal procedure. He wrote this for the Chicago Tribune. -- Ed.
(Tribune Content Agency)