Biometric privacy laws must evolve with the times

Illinois is home to some of the strongest consumer privacy regulations in the country, including its rules governing the use of biometric data.

Perhaps you were one of the folks who got a check from Facebook after a class-action lawsuit alleging violations of Illinois' 2008 Biometric Information Privacy Act. Facebook's "Tag Suggestions" feature used facial recognition to scan users' uploaded photos, creating "face templates" or biometric identifiers.

Plaintiffs said this happened without the required written consent or publicly available retention/destruction policy. In February 2021, the case was resolved with a court-approved $650 million class-action settlement — widely described by the judge as a landmark in consumer privacy law.

Facebook isn't the only company dealing with these lawsuits. A Chicago man sued Home Depot this month, alleging the retailer used facial recognition at self-checkouts without consent or required policies — a potential violation of BIPA.

One could argue that our biometric privacy rules are a very important tool in protecting personal privacy. Indeed, we are grateful for barriers to widespread misuse of such personal information. On the other hand, you could also argue that Illinois' biometric data laws are responsible for regulating a marketplace that is changing by the second — and they're not keeping up. There's truth to that, too.

Take this question, for example:

Should digital infrastructure providers like data centers or cloud platforms be held liable when someone's biometric data is misused?

Legal minds are actively debating this question. And many in the industry — including those who lobby on its behalf — are concerned their network could be in the legal crosshairs unfairly if the rules aren't updated.

Illinois' biometric rules apply to any "private entity" that collects, captures, purchases, receives through trade or otherwise obtains a person's biometric identifiers or information. That means if a company is in possession of, or is making use of, biometric data, it has duties such as proper informed consent before collection and written, publicly available retention and destruction policies.

So far, most high-profile cases have focused on end-user firms such as employers, retailers and social-media platforms. But there's no explicit carve-out in BIPA for data centers or cloud providers. If they merely store encrypted information, they can argue they're not "collecting" or "using" biometrics. But if a provider offers biometric processing services — or fails to safeguard the data in its possession — plaintiffs could test the boundaries of liability.

There's a lot to gripe about when it comes to data centers — their reliance on our natural resources, or their debatable claims of being long-term job creators. This won't be the last thing we write about the industry. But in this case, we think there's room for improvement — and clarification.

It's important to keep laws up to date with fast-moving technology. It's also important that our state remains competitive as a tech hub.

The state has done this before. Just last year, lawmakers approved, and Gov. JB Pritzker signed, changes to BIPA that limited potential damages and broadened the definition of "written release" to cover electronic signatures.

Legislating is a slow process, but when you're regulating something so big and fast-changing, you have to be nimble. If data centers played — or could play — an active role in policing use of biometrics, they would be fair game as potential defendants. But they don't.

The data-center industry has a solid argument here, we believe, that they shouldn't be liable under BIPA for misuse of people's likenesses or identities.

(COMMENT, BELOW)

Chicago Tribune
(TNS)
Previously:
• 08/26/25: What Justice Barrett's words on disagreement can teach us
• 08/21/25: Who's afraid of a healthy school lunch?
• 08/06/25: Joe Rogan belonged on Time's list of best podcasts
• 07/22/25: At a Coldplay concert, a kiss cam catches a cuddle and ruins lives
• 06/26/25: Want to know how a socialist mayor would govern New York City? Just ask Chicago
• 06/11/25: Hoping for a bond market crash to take down MAGA?
• 05/06/25: The Biden health saga should remind the media to tell the truth
• 05/06/25: Dems are doubling down on vulgar language. To what end?
• 02/25/25: Antisemitic fears in Windy City coalesce around a controversial puppet
• 02/05/25: Want a low-stress job with lots of time off? This state says it wants to recruit you
• 01/28/25: We are in a mental health crisis. A 'moonshot' is needed
• 11/07/24: Trump's win was a stunning repudiation of the chattering classes
• 03/21/24: Crypto's improbable comeback is cause for cheer --- and prudence
• 02/20/24: Don't write off fake meat just yet
• 11/23/23: Critical thinking is losing out to TikTok. A Thanksgiving intervention might help
• 11/23/23: Did the maker of Oreos surreptitiously cut the creme-to-cookie ratio?
• 11/15/23: David Cameron, a former British PM, makes a surprise return as Suella Braverman gets the chop. Is there a lesson here for the US?
• 10/23/23: Turns out it's bad business to jack prices just because you can
• 09/28/23: Here's why President Joe Biden should not have joined the UAW picket line
• 07/28/23: Surprise! Some good news from the IRS
• 06/07/23: Supreme Court just fired a shot at delinquent property taxes
• 05/05/23: Can't force an unprofitable grocery store to remain open
• 03/06/23: A powerful paper comes clean about its 'China virus' coverage
• 02/08/22: Facebook flops and The New York Times buys a puzzle. What's going on?