Three lessons from BIPA for data privacy legislation

Three lessons from BIPA for data privacy legislation
© Getty Images

Recently, the Supreme Court denied cert on the lower court case of Patel v. Facebook, allowing the lower court ruling to stand. The company agreed to a $550 million settlement with the class of plaintiffs a few days later. This is the latest case to use private right of action, or individual and class-action lawsuits, as a method of enforcement for the Illinois Biometric Information Privacy Act (BIPA). This and other lawsuits related to BIPA, such as a case against Six Flags last year, provide an insight into how a private right of action might play out in the context of broader data privacy regulations.

Illinois’ BIPA, passed in 2008, has statutory requirements governing the collection and storage of biometric information, including fingerprints and facial features and measurements used to quickly identify photos. Unlike similar laws in Washington and Texas, it has also allowed individuals to bring cases against companies for alleged violations as part of its enforcement.

Whether consumer data privacy laws should include the right for those impacted to sue is a key inflection point in the data privacy debate at both the state and federal levels. States including New York are considering state-level data privacy legislation that includes such a right.

ADVERTISEMENT

Federally, two proposals released by Sens. Roger WickerRoger Frederick WickerThe Hill's Coronavirus Report: INOVIO R&D Chief Kate Broderick 'completely confident' world will develop a safe and effective COVID-19 vaccine; GOP boxed in on virus negotiations Hillicon Valley: Lawmakers zero in on Twitter after massive hack | US, UK, Canada allege Russian hackers targeted COVID-19 vaccine researchers | Top EU court rules data transfer deal with the US is illegal Lawmakers zero in on Twitter following massive hack MORE (R-Miss.) and Maria CantwellMaria Elaine CantwellThe Hill's Coronavirus Report: Mike Roman says 3M on track to deliver 2 billion respirators globally and 1 billion in US by end of year; US, Pfizer agree to 100M doses of COVID-19 vaccine that will be free to Americans Overnight Energy: Supreme Court reinstates fast-track pipeline permit except for Keystone XL | Judge declines to reverse Dakota Access Pipeline shutdown OVERNIGHT ENERGY: Watchdog accuses Commerce of holding up 'Sharpiegate' report | Climate change erases millennia of cooling: study | Senate nixes proposal limiting Energy Department's control on nuclear agency budget MORE (D-Wash.) in December differed on whether a private right of action should be included, and it remains a key split in attempts at national data privacy legislation.

But cases already brought under BIPA illustrate what could happen if such a right becomes standard across America. 

First, if the harm of a data privacy violation is not clearly defined by the law, courts may take a more expansive view than the Federal Trade Commission’s enforcement and consumer protections have traditionally taken. For example, in Patel v. Facebook, the Ninth Circuit’s ruling held that the mere collection of biometric information was a sufficient harm under Illinois’ BIPA. Yet biometrics have many benefits, including the ability for an individual to quickly identify friends and sort personal photos, or for a company to have a more secure timekeeping system. Under BIPA, many of these benefits become difficult (if not impossible) to utilize.

Second, these cases illustrate concerns about class actions or the tort system in general. Under BIPA-style legislation, many data privacy cases would likely be class actions, as there might be insufficient harm to allow any single consumer to bring a case. As critics of class action lawsuits point out, these cases often result in attorneys receiving large fees and the plaintiffs receiving only small amounts as redress for a supposed harm. This issue has long been at the center of calls for tort reform, and given the growing impact of data in a wide range of industries, a nationwide, private right of action for broad definitions of supposed data privacy could exacerbate it.

Finally, even if BIPA serves as a deterrent against the misuse of data, policymakers should question whether litigation is the right kind of deterrent. We should seek to address concerns without also deterring the beneficial uses of technology. In some cases, products such as the Google art selfie match have been unavailable in Illinois. The courts’ broad interpretations and numerous lawsuits against employers over statutory violations of the law could also deter employers from using more accurate timekeeping or security technology.

ADVERTISEMENT

We often look to new competition in the data sphere as the way to provide better, safer products and challenge the status quo. Potentially company-ending liability discourages experimentation. Many innovators are likely, with good reason, to be much more risk-averse. That seems to be what plenty of Americans and policymakers want, but let’s not forget that as a result, consumers may lose out on new beneficial technologies or other innovative ideas. Some innovators will look to move to other, more pro-innovation areas in a process of “innovation arbitrage.”

As Congress and states debate whether or not to include a private right of action in data privacy regulations, they should look at the consequences of BIPA and consider what might happen with an even broader regulation. The courts and the tort system can play an important role, but the tradeoffs suggest that we should be exploring other forms of enforcement, including those that are already utilized, such as the role of the Federal Trade Commission.

Jennifer Huddleston is a research fellow with the Mercatus Center at George Mason University. She has a JD from the University of Alabama School of Law and a BA in political science from Wellesley College.