By William Raven
Home Depot and Lowes, the home improvement giants are facing backlash; not for inattentiveness to the many DIYers seeking help from orange and blue aprons, but for paying too much attention. Plaintiffs, identified simply as residents of Illinois who have shopped at one or both of the aforementioned chains, allege violations of the Illinois Biometric Information Privacy Act (BIPA). The alleged transgressions stem from the implementation of facial recognition software into the defendants’ security camera systems. The suit further alleges the retailers use this software to track customer movement throughout the stores, creating a cache of unique facial identifiers for all, whether perusing for paint or looking for ladders. In addition, the suit claims the retailers have shared this biometric information with other entities. As Home Depot and Lowes do not obtain express authorization from those who are subjected to their cameras wielding facial recognition software, the virtual sentinel which never forgets, the plaintiffs allege a privacy intrusion and seek redress for the retailers’ “systemic and covert” practices.
BIPA attempts to regulate private entities “collection, use, storage, and disposal” of an individual’s “biometric identifiers”. These biometric identifiers include a “retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry.” These identifiers may be used to streamline financial transactions and improve the security procedures of private institutions. Unlike other personal identifiers such as PIN and social security numbers, once compromised, biometric identifiers cannot be changed as they are extrinsically linked to the individual. This inability to alter one’s biometric identifiers makes it extremely hard to remedy an invasion of privacy, and leads to increased risks of identity theft.
In Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York, applying Illinois law, explained that the Illinois legislature did not wish to deem the use of biometrics in financial transactions and security procedures as wrongful on its face when enacting BIPA, but instead wished to ensure the protection of the data from use for an improper purpose, treating the data as sensitive and confidential. In other words, the use of biometric identifiers to streamline transactions and provide better security is allowed and even lauded under the act, when the sensitive data is collected willingly and stored under conditions suitable to protect this unique information.
The plaintiffs argue that their biometric data was collected without notice or consent. This practice seemingly violates §15(b) of BIPA which states no private entity may collect biometric data without first informing the subject that biometric data is being collected, the time period which that data is stored, and receiving a written release from the subject consenting to the use of a biometric identifier. Therefore, due to the plain language of the statute and clear intention of the Illinois legislature Home Depot and Lowes are in clear violation of §15(b).
Lowes and Home Depot assert that this biometric data is collected and stored in order to protect against theft and generally enhance the safety and security of their stores. Biometric data, with its ability to accurately track and identify shoplifters, and those who create other disturbances in store, may be used as an effective tool to protect establishments as well as their patrons. BIPA, in its valiant effort to protect the consumer from data misuse, may thus ironically expose the unwitting individual to risks which the use of biometrics for security purposes may very well prevent.
The capture and use of biometric data for commercial purposes should be differentiated from the use of this information in furtherance of security. One of the major risks associated with the collection of biometric data in the commercial setting is the proliferation of the data brokerage business. Data brokers are entities that “collect consumer data, aggregate and analyze that information, and then sell it to third parties, often for marketing purposes.” The Federal Trade Commission has categorized aspects of this industry as adverse to consumers, and even discriminatory.
In order to navigate the conflicting interests of consumer privacy, consumer safety, and business interests, Washington in its equivalent to Illinois’ BIPA, Rev. Code. Wash. §19.375.020, only regulates biometric data stored for “commercial purposes.” In regulating biometric data solely for commercial purposes, §19.375.020 severely limits the ability of data brokerage entities to collect and disseminate biometric data while allowing businesses to collect and store this data for security purposes including protection against “fraud, criminal activity, claims, security threats, or liability.”
Both consumer rights and the rights of businesses to secure their premises are furthered when the regulation of biometric data is limited to commercial purposes. The plaintiffs in the suit against Lowes and Home Depot alleging a violation of BIPA, would have no recourse for the collection and storage of their biometric data if Illinois contained a commercial purpose limitation on the regulation of biometric data. However, businesses like Home Depot and Lowes should be able to wield the proverbial tool of biometric data in the context of security measures to ensure the security of their wares, premises, and customers.
Student Bio: William Raven is currently a second year law student at Suffolk University Law School. He is a staffer on the Journal of High Technology Law. Prior to law school, William received a Bachelor of Arts Degree in English from the College of the Holy Cross.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.