Posted by Have you ever wondered who has access to biometric data in your smartphone, such as the “Face-ID” identification that companies like Apple and Samsung highlight in newer devices, as well as some of the potential legal risks attached to them?
Right before Halloween, the United States Court of Appeals for the Seventh Circuit heard oral arguments from plaintiffs claiming that Samsung has control or possession of biometric data coming from the users’ photos. The appellee argued that Samsung illegally scans facial features in photos and groups them together via facial geometry or possession without notice of or permission from the user. Meanwhile, appellant Samsung contended that (1) the plaintiffs conflate the company’s software with the company itself regarding the alleged access, and (2) the technology’s inability to identify any one individual based on the information purportedly collected from the users’ photograph.
The Illinois state government has, among establishing certain individual rights, pioneered laws protecting a person’s privacy.
While the U.S. government recently enacted certain federal protections for a person’s information, such as the Health Insurance Portability and Accountability Act (“HIPAA”) and Genetic Information Nondiscrimination Act (“GINA”), Illinois’ own set of privacy laws build upon these protections, including (1) the Illinois Biometric Information Protection Act (740 ILCS 14, “BIPA”); (2) the Illinois Genetic Information Privacy Act (410 ILCS 513, “GIPA”); and (3) the Illinois Personal Information Protection Act (815 ILCS 530, “PIPA”). The Acts are similar in scope, but each have their own unique elements. Illinois does not have a broad privacy-based law.
BIPA (the Act at play in the case above) requires private companies to obtain notice, as well as informed and written consent before collecting, using, or storing Illinois residents’ biometric and personal health information. This includes fingerprint scans (such as clocking in and out of work) or facial geometry (akin to facial recognition on your phone’s photo library). Companies must also explain the reason for using a person’s information and retention schedule (how long they will hold onto the information). Companies also can’t sell or profit from this information. BIPA allows for a private right of action, allowing a person to individually sue the company for violations.
Meanwhile, GIPA prevents employers and insurers from using genetic testing information to discriminate against an employee, insured, or potential job applicant. Genetic information under GIPA is pretty broad, and can include genetic testing, family medical history, and information about genetic services or acting as a research participant. Employers must have an individual’s permission to use their genetic information for nearly any reason. GIPA (like BIPA) allows a private right of action for violations of a person’s private genetic information.
PIPA aims to protect a person’s sensitive personal data attached to their first and last name, like their Social Security number, driver’s license number, and financial account information. PIPA requires a private business to implement reasonable security measures to protect said data from improper access, mandating the company notify consumers and the Illinois Office of the Attorney General if a data breach affects more than 500 individuals. PIPA primarily focuses on data security and breach notification, such that individuals are notified if their private information is compromised, holding businesses accountable for the security of collected and stored data.
In the case above, the Seventh Circuit indicated during oral arguments that plaintiffs have not plausibly pled enough to demonstrate Samsung ever collected or possessed their information illegally.
While Illinois has several privacy statutes that cover a wide breadth of an individual’s private information, new challenges to the law that legislators did not anticipate will continue to test these boundaries. With rapidly evolving technology changing how society should properly shield private information, Illinois courts will continue interpreting how to apply these statutes to a variety of unforeseen situations and industries, even outside tech and social media.
The Seventh Circuit case is G.T. et. al v. Samsung Electronics America Inc. et. al, 25-1120, in the U.S. Circuit Court of Appeals for the Seventh Circuit.
The views and opinions expressed here are my own and do not represent the views or opinions of the Office of the Chief Judge of the Circuit Court of Cook County, Illinois.
John Gilmore is a judicial law clerk for the Hon. Judge Patrick T. Stanton in the Circuit Court of Cook County, General Chancery Division and a law grad from the Washington & Lee School of Law in 2024. Before law school, he was a healthcare journalist for GenomeWeb.