Marvin Morazan
Associate Editor
Loyola University Chicago School of Law, JD 2019
Recently, Google added new functionality to the Google Arts & Culture app that allows users to snap a selfie and find artwork from around the world that resembles the user. The app very quickly rose to the top of the charts as users around the United States took plenty of photos. Almost everywhere around the United States at least. Illinois and a few other states have laws that prohibit the collection or use of biometric (iris, fingerprint, etc.) data by businesses except under certain circumstances. The Google Arts & Culture app uses biometric data to compare a user’s image to the Mona Lisa (or any other portrait).
Biometric Data
Biometric data is the technical term for calculations based on certain measurements of the body. For example, iris recognition looks at your eye and then computes whether or not it matches the authorized iris. The Google Arts & Culture app takes your photo, then uses machine learning to analyze photos of artwork and determine which most closely resemble you. Now enter the Illinois Biometric Information Privacy Act. Though Google hasn’t explicitly stated why the feature isn’t available in Illinois, it is likely that the Act is a major part of their reasoning.
Why Illinois?
The Illinois law attempts to avoid a leak of biometric data, which cannot be changed by a user. While a leak of something like a credit card number is an annoyance, it’s one that can be remedied by simply calling and cancelling or changing the card. A person’s DNA, iris, or other biometric data can’t simply be reset. The Act recognized that biometric data posed a significant and unique risk to individuals.
The question still remains, why don’t more states have these types of laws? California has other strong privacy laws (CalOPPA), but those only cover online privacy policies. Washington state modeled their biometric privacy law after Illinois, but it doesn’t allow consumers to sue (for the record, neither does Texas without the Attorney General’s action). In part, it’s likely due to push back in the technology industry. Another factor may simply be that these laws are still relatively new; the Act was the first legislation to cover biometrics, and it was only introduced in 2008. More states are beginning to propose their own laws, which may indicate that a wave of legislation is coming as the popularity of these types of laws increase.
Why face ID works and selfies don’t
When Apple first announced the face ID unlock for the iPhone X, it raised questions about compliance with privacy laws, including CalOPPA & the Illinois Act. Though the iPhone X (and other biometric unlock features such as the Samsung S8) does take data that is protected by the Act, that data is stored locally on the device itself. The Act states that a company cannot take and store biometric information offsite. This falls in line with the intent of the act by making it harder for a hacker to gain access to a database of biometric information by simply not creating a database in the first place.
The Google Arts & Culture app tells the user that the selfie they take will not be used for any purpose other than matching the user and a portrait, and that the data will only be stored for as long as necessary to analyze and match the photo. Google claims that they aren’t saving users’ selifes, but they are sending the selfie offsite to do an analysis. This doesn’t mean that Google is entirely barred from permitting the feature in Illinois, but it does mean that they need to proceed with caution or risk a class action lawsuit. That risk is likely high enough that Google is either not going to release the app in Illinois, or will wait to ensure that they are fully compliant with Illinois’ biometric privacy law.
But first, let me take a selfie read the privacy policy
The Illinois Act does list the requirements for a corporation to collect and store biometric information. Summarily, a corporation must inform the user of the intent to collect data, what it will be used for, the risks associated with the data, and obtain written consent. The corporation must also use a reasonable standard of care within the corporation’s industry to then protect that data.
CalOPPA and the Illinois Act were both monumental in establishing privacy laws by requiring online privacy notices and restricting the collection and use of biometric data and have since inspired other state legislatures to propose their own similar laws. What remains to be seen is whether proposed laws will be as effective as the law in Illinois and how the privacy landscape is changing. At least for now, Illinois residents will have to settle for visiting the Art Institute in Chicago and finding their look alike in person.