This article is part of the On Tech newsletter. You can sign up here to receive it weekdays.
Americans should feel angry about companies harvesting every morsel of our data to sell us sneakers or rate our creditworthiness. But a data protection law that few of us know about should also give us hope.
I’m talking about the Biometric Information Privacy Act of Illinois, or BIPA. It’s one of the toughest privacy laws in the United States. And it passed in 2008, when most of us didn’t have smartphones and couldn’t have imagined Alexa in our kitchens.
It applies only to Illinois residents and limits no more than what companies do with data from our bodies, like face scans and fingerprints. But its principles and legacy show that effective laws can wrest a measure of control from information-hogging companies.
BIPA may also show that states can be America’s best laboratory for tackling the downsides of digital life.
The law’s pedestrian origin belies how consequential it came to be. In 2007, a company that let customers pay in stores with their fingerprints went bust, and it discussed selling the fingerprint database. People who thought that was creepy wanted to stop such activities.
Few outsiders paid attention to negotiations over BIPA, and this may have been the secret to its success. Now, tech companies unleash armies to deflect or shape proposed regulations.
The law’s text is simple but profound, Adam Schwartz, a senior staff attorney with Electronic Frontier Foundation, told me.
First, companies behind technologies like voice assistants or photo recognition services can’t use people’s biometric details without their knowledge or consent. Few American privacy laws go this far — and probably none will again. Typically we must agree to whatever companies want to do with our data, or not use the service.
Second, BIPA forces companies to limit the data they collect. Those two principles are in Europe’s landmark data privacy law, too.
And third, the law lets people — not just the state — sue companies. (More on this below.)
One practical effect of BIPA is that Google’s Nest security cameras do not offer in Illinois a feature for recognizing familiar faces. BIPA might be the reason Facebook turned off a feature that identifies faces in online photos. The Illinois law is the basis of some lawsuits challenging Clearview AI, which scraped billions of photos from the internet.
BIPA didn’t, however, stop the data-surveillance economy from growing out of control.
But Schwartz said that companies’ collection of our personal information would have been worse without the law. “BIPA is the gold standard and the kind of thing we’d like to see in all privacy laws,” he said.
I’ve written before about the need for a sweeping national privacy law, but maybe that’s not necessary. Rather than relying on a dysfunctional Congress, we could have a patchwork of state measures, like less aggressive versions of BIPA and California’s buggy but promising data privacy laws.
“There’s no one magical bill that is going to quote-unquote fix privacy,” said Alastair Mactaggart, the founder of Californians for Consumer Privacy, which backed those twin consumer privacy laws. He said that 50 privacy laws could be messy but better than one weak national law.
BIPA also shows that we shouldn’t feel helpless about controlling our personal information. The data-surveillance machine can be tamed. “The status quo is not preordained,” Schwartz said.
The two hottest terms in tech policy
I try not to bore you (and myself) with the law-making sausage. Allow me, though, to sneak in two terms to keep an eye on as more states and Congress consider regulation on technology companies including in data privacy, online expression and restraints on their powers.
Those terms are private right of action and pre-emption.
The first one means, basically, that anyone can sue a tech company — not just government officials.