Despite intense scrutiny from lawmakers and 2020 presidential contender Bernie Sanders, some private companies still want to use facial recognition software to collect and use biometric data on their customers. Just this week, one grocery company argued that America’s first restrictive biometric data privacy law is unconstitutional.
This week Sanders became the first 2020 presidential candidate to call for a complete ban on the use of facial recognition software for policing.
In March, U.S. senators Ed Markey (D-Mass.) and Mike Lee (R-Utah) sent a letter to the Department of Homeland Security (DHS) requesting the department pause use of facial recognition software until there are “rules of the road” regarding the use of American citizens’ biometric data (like their faces or DNA).
A May hearing hosted by the Senate Commerce, Science and Transportation Committee discussed privacy concerns with biometric data usage at both public organizations — like the DHS and local police forces — and private companies. Some federal lawmakers are interested in building on state biometric data laws and rolling biometric data protections into a federal privacy law.
There are only a handful of states with biometric data privacy laws currently on the books: Illinois, Texas and Washington state. The New Hampshire House recently passed a biometric data privacy law, but it’s stuck in the senate.
But the private sector — especially retailers — are moving full steam ahead to implement facial recognition software into their operations.
Albertsons, the grocery conglomerate involved in a lawsuit over its use of biometric data, claims that the Illinois law, the Biometric Information Privacy Act (BIPA) is unconstitutional.
Former pharmacist Gregg Bruhn, who worked for Jewel-Osco, a supermarket and pharmacy chain owned by Albertsons, sued Albertsons in 2018 for requiring pharmacy employees to “have their fingerprints scanned by a biometric device to enable them to access the pharmacy computer system.” Bruhn said “he was not provided the written disclosures required under the BIPA to collect biometric information,” according to the court documents.
Albertsons moved to dismiss the lawsuit in April, citing BIPA’s HIPAA exception.
“Specifically, Albertsons argued that Plaintiff’s biometric data was collected for health care treatment, payment and operations as those terms are defined under HIPAA, and thus Plaintiff could not state a BIPA claim,” according to court documents. “Plaintiff opposed, largely on the basis that the BIPA’s HIPAA Exception applied only to patient data, not to the biometric data of pharmacists, like Plaintiff.”
Albertsons responded by asking the court to dismiss the lawsuit on the grounds that BIPA is too broad and too vague, and is thus unconstitutional.
“BIPA impermissibly excepts a wide swath of companies from the scope of the BIPA without rational basis and is impermissibly vague — leaving companies like Albertsons unable to assess whether the law applies to them, but to bear the brunt of alarming statutory damages if it does,” Albertsons claims in its Aug. 20 motion to dismiss.
According to the Illinois Constitution, no special legislation may grant certain entities certain privileges or exclude certain entities from participating in certain privileges. Because BIPA offers exceptions to financial institutions and state and local governments — permitting them to collect biometric data from Illinoisans — it violates the Illinois Constitution.
Thus far, the court has sided with Bruhn, despite acknowledging that Albertsons’ reading of the law is “plausible.”
The Electronic Frontier Foundation (EFF), a prominent privacy watchdog and think tank, recently announced that the Ninth Circuit Court of Appeals in Illinois will allow Patel v. Facebook, another lawsuit over the use of biometric data in Illinois, to move forward, which suggests the Illinois courts will upload BIPA despite pushback from the private sector.
Circuit Judge Sandra Ikuta, who wrote the opinion, argued that regardless of BIPA, the Supreme Court of the United States (SCOTUS) has historically ruled against companies infringing on individuals’ biometric privacy rights under its Fourth Amendment jurisdiction, leaning on individuals’ “common law privacy rights.”