Don’t gut Illinois law that prohibits the secret sale of our fingerprints and other biometric information
Under the guise of helping small businesses, lawmakers are trying to repeal or eviscerate Illinois’ pioneering Biometric Information Protection Act.

By the Chicago Sun-Times Editorial Board

At the very same time rapidly advancing technology is making it easier for companies to snatch and secretly sell our personal biometric information, such as our fingerprints, clueless Illinois lawmakers are trying to do away with one of the strongest privacy protection laws in the nation.

The Legislature should reject these efforts — a slew of bills aimed at repealing or watering down Illinois’ pioneering 2008 Biometric Information Protection Act — and turn its attention to measures that serve the people of Illinois rather than sell them out.

The Biometric Information Protection Act, widely called BIPA, is not an unreasonable burden on small businesses, as critics claim. Far from it. It merely requires that companies gathering fingerprints, retinal scans, facial recognition or other biometric information inform users they are doing so, explain how the data will be used or sold and obtain users’ permission.

BIPA doesn’t bar anyone from gathering biometric information. It simply requires that if, for example, a company decides to use thumbprint data to identify customers, the company had better be upfront about it.

If anything, the law should be stronger.

Tech firms vacuum up data
In truth, the companies that would benefit most by eviscerating BIPA are not small businesses. They are, rather, the sprawling tech firms that get insanely wealthy by vacuuming up as much information as possible to build individual dossiers on everyone.

It’s telling that the lawmakers who claim BIPA has hurt small businesses have been unable to produce any substantial evidence of this. Where is the parade of horribles showing that specific small businesses have suffered?

Unlike your credit card numbers, biometric identifiers such as thumbprints, retinas, irises and faces can’t be changed if the information falls into wrong hands through dark web sales or data breaches. Once the information is out on the web, stalkers or others with evil intent can use facial recognition, for example, to gain access to your full electronic profile, including your home address, birth date, phone numbers and any other information that might been scattered online through endless data breaches.

Your anonymity is gone, and you don’t even know it.

Track you anywhere
If we’re not careful, widely dispersed biometric information will allow online leviathans to identify and track us wherever we go, whether it is to an airport, a church or a protest. When the use of biometrics makes mistakes, which is a particular burden for African Americans, who are more often misidentified, the repercussions can be severe.

In 2004, an Oregon lawyer was erroneously jailed in connection with a Madrid train bombing because the FBI made a mistake in identifying the most basic of biometric information, a fingerprint.

BIPA was written in 2008 after a hacking incident in which biometric information was stolen, and it has been an indisputably effective law since then, partly because it includes a “private right of action” that lets victims sue for violations.

Last month, a federal judge ordered Facebook to pay $650 million for capturing and storing face scans of 6.5 million residents of Illinois without getting consent. In 2016, L.A. Tan settled a case for $1.5 million for not following BIPA guidelines. Last year, the ACLU sued the software company Clearview AI for gathering 3 billion online faceprints without the knowledge or consent of those whose pictures wound up in Clearview’s database.

No doubt, some companies would rather get rid of BIPA than bother to comply. But the Illinois Supreme Court has ruled that taking biometric information without consent damages individuals. Without a law such as BIPA, those who are harmed would have no recourse.

Legitimate purposes
It’s not that biometric information doesn’t have its useful purposes. Obviously, it does.

It can help you establish your identity. It can be a convenience for doing things such as logging onto your cell phone. It can help people keep up to date with each other by tagging photos on the internet. Libraries can use fingerprints to allow patrons to check out books. Law enforcement can use biometric data to solve crimes.

The key, though, is that government must ensure biometric information is closely protected and used legitimately.

Other states and cities have begun to enact their own biometric protection laws, often modeled after the Illinois law. And instead of trashing the protections Illinoisans have, the Legislature should expand them.

For example, websites, e-services and apps should be required to disclose when they scoop up information about our online activities and resell them through the interconnected Big Brother that has more information about us than most people imagine.

Biometric information is as personal as it gets. Let’s keep it that way.