Youtube, Facial Recognition Tech, and the Illinois BIPA
September 08, 2022 | 4 minutes read
While new sources around the country recently reported that several major fast food chains within the U.S. were facing a class action lawsuit within the state of Illinois for failing to protect the biometric data privacy rights of citizens within the state with respect to the Illinois Biometric Information Privacy Act (BIPA), including Applebees, Chipotle, and Red Lobster, in addition to others, these businesses were not the only organizations to have been hit with such a lawsuit within the past few weeks. To this end, reports that broke on August 29, 2022, state that the popular video-sharing and social networking website Youtube was also facing a class action lawsuit for failing to adhere to the provisions of the BIPA.
More specifically, the complaint that was filed in The United States District Court For The Southern District of Illinois alleges that a defendant had their biometric data privacy rights violated via Youtube’s “Face Blur tool or thumbnail creator containing at least one representation of his face, which Defendants in violation of BIPA captured, scanned for face geometry, and stored without providing Plaintiff any notice or receiving a written release required by BIPA.” With all this being said, the provisions of Illinois’s BIPA state that businesses must obtain consent from residents of the state prior to collecting, storing, or otherwise utilizing the biometric information of said individuals.
The monetization of biometric data
What’s more, the lawsuit that was filed against Youtube this past week also accuses Youtube of profiting from the biometric information they obtained from Illinois residents illegally without their consent. According to the suit, once Youtube’s facial recognition software captured the facial images of the defendants bringing forth their claims via the case, these images were then uploaded as thumbnails for videos that were created and shared via the social media platform. To this point, many popular content creators on Youtube use thumbnail images for their videos to drive traffic to said videos, which in turn, generate profits for the company, as these creators are paid in conjunction with their overall engagement and channel/video views.
Subsequently, in addition to prohibiting the use of biometric identifiers without the consent of an Illinois resident, the BIPA also forbids businesses from selling, leasing, trading, or profiting in any tangible way from the biometric information of Illinois consumers. On top of this, private entities are also banned from circumventing this rule by obtaining consent from an individual prior to selling their biometric data. Furthermore, the lawsuit goes on to state that even if Youtube had obtained consent to both collect and sell the biometric information of the numerous defendants associated with the case, such actions “would still be a legally insufficient disclosure to the individual whose image was captured and stored within the video.”
Profit vs. Privacy
As is the case with other major businesses and corporations that have been found to have violated U.S. state privacy laws such as the Illinois BIPA, the actions that have been deemed illegal within the state as it pertains to the collection and sale of biometric information are perfectly legally in virtually every other nation or jurisdiction around the world. For reference, very few U.S. states have passed any major form of data privacy law as of 2022, much less legislation that relates specifically to the protection of biometric data. Moreover, there is a general lack of biometric data protection legislation on a global scale as well, as the issue of biometric information privacy has not gained much attention when compared to other similar issues that fall under the umbrella of personal data protection.
Penalties for violating the BIPA
While the state of Illinois is unique in being one of a handful of jurisdictions around the nation to have enacted a biometric data protection law, residents within the state also retain the right to bring forth private right-of-action lawsuits against businesses they suspect have violated the rights they are entitled to under the BIPA. This is in contrast to many data privacy regulations around the world in general, as even the EU’s landmark GDPR does not permit residents of EU member states to bring forth individual lawsuits against organizations that violate their rights, giving Illinois residents the opportunity to receive compensation and justice in the manner they most see fit.
In spite of the fact that the state of Illinois was very much ahead of its time when it enacted the BIPA in 2008, the decision that the state legislature made at that time has paid dividends for residents in the present day. Likewise, the rise in facial recognition software in the past decade has left many citizens around the world open to newfound violations of their personal data and privacy, as developments that have been made within the fields of artificial intelligence and machine learning have ushered in a new wave of technology that has never been seen before in human history. As such, the BIPA will likely continue to influence the enactment of further biometric data privacy laws for years to come.