Youtube, Facial Recognition Tech, and the Illinois BIPA

September 08, 2022 | 4 minutes read
Youtube, Facial Recognition Tech, and the Illinois BIPA

While new sources around the country recently reported that several major fast food chains within the U.S. were facing a class action lawsuit within the state of Illinois for failing to protect the biometric data privacy rights of citizens within the state with respect to the Illinois Biometric Information Privacy Act (BIPA), including Applebees, Chipotle, and Red Lobster, in addition to others, these businesses were not the only organizations to have been hit with such a lawsuit within the past few weeks. To this end, reports that broke on August 29, 2022, state that the popular video-sharing and social networking website Youtube was also facing a class action lawsuit for failing to adhere to the provisions of the BIPA.

More specifically, the complaint that was filed in The United States District Court For The Southern District of Illinois alleges that a defendant had their biometric data privacy rights violated via Youtube’s “Face Blur tool or thumbnail creator containing at least one representation of his face, which Defendants in violation of BIPA captured, scanned for face geometry, and stored without providing Plaintiff any notice or receiving a written release required by BIPA.” With all this being said, the provisions of Illinois’s BIPA state that businesses must obtain consent from residents of the state prior to collecting, storing, or otherwise utilizing the biometric information of said individuals.

The monetization of biometric data

What’s more, the lawsuit that was filed against Youtube this past week also accuses Youtube of profiting from the biometric information they obtained from Illinois residents illegally without their consent. According to the suit, once Youtube’s facial recognition software captured the facial images of the defendants bringing forth their claims via the case, these images were then uploaded as thumbnails for videos that were created and shared via the social media platform. To this point, many popular content creators on Youtube use thumbnail images for their videos to drive traffic to said videos, which in turn, generate profits for the company, as these creators are paid in conjunction with their overall engagement and channel/video views.

Subsequently, in addition to prohibiting the use of biometric identifiers without the consent of an Illinois resident, the BIPA also forbids businesses from selling, leasing, trading, or profiting in any tangible way from the biometric information of Illinois consumers. On top of this, private entities are also banned from circumventing this rule by obtaining consent from an individual prior to selling their biometric data. Furthermore, the lawsuit goes on to state that even if Youtube had obtained consent to both collect and sell the biometric information of the numerous defendants associated with the case, such actions “would still be a legally insufficient disclosure to the individual whose image was captured and stored within the video.”

Profit vs. Privacy

As is the case with other major businesses and corporations that have been found to have violated U.S. state privacy laws such as the Illinois BIPA, the actions that have been deemed illegal within the state as it pertains to the collection and sale of biometric information are perfectly legally in virtually every other nation or jurisdiction around the world. For reference, very few U.S. states have passed any major form of data privacy law as of 2022, much less legislation that relates specifically to the protection of biometric data. Moreover, there is a general lack of biometric data protection legislation on a global scale as well, as the issue of biometric information privacy has not gained much attention when compared to other similar issues that fall under the umbrella of personal data protection.

Penalties for violating the BIPA

While the state of Illinois is unique in being one of a handful of jurisdictions around the nation to have enacted a biometric data protection law, residents within the state also retain the right to bring forth private right-of-action lawsuits against businesses they suspect have violated the rights they are entitled to under the BIPA. This is in contrast to many data privacy regulations around the world in general, as even the EU’s landmark GDPR does not permit residents of EU member states to bring forth individual lawsuits against organizations that violate their rights, giving Illinois residents the opportunity to receive compensation and justice in the manner they most see fit.

In spite of the fact that the state of Illinois was very much ahead of its time when it enacted the BIPA in 2008, the decision that the state legislature made at that time has paid dividends for residents in the present day. Likewise, the rise in facial recognition software in the past decade has left many citizens around the world open to newfound violations of their personal data and privacy, as developments that have been made within the fields of artificial intelligence and machine learning have ushered in a new wave of technology that has never been seen before in human history. As such, the BIPA will likely continue to influence the enactment of further biometric data privacy laws for years to come.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »