{"id":1553,"date":"2018-02-23T18:33:15","date_gmt":"2018-02-23T23:33:15","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=1553"},"modified":"2018-02-23T18:33:15","modified_gmt":"2018-02-23T23:33:15","slug":"no-doppelgangers-in-illinois","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=1553","title":{"rendered":"No Doppelgangers in Illinois"},"content":{"rendered":"

Marvin Morazan
\n<\/em><\/strong>Associate Editor
\n<\/em><\/strong>Loyola University Chicago School of Law, JD 2019
\n<\/em><\/strong><\/p>\n

 <\/p>\n

Recently, Google added new functionality to the Google Arts & Culture<\/a> app that allows users to snap a selfie and find artwork from around the world that resembles the user. The app very quickly rose to the top of the charts<\/a> as users around the United States took plenty of photos. Almost everywhere around the United States at least. Illinois and a few other states have laws that prohibit the collection or use of biometric (iris, fingerprint, etc.) data by businesses except under certain circumstances. The Google Arts & Culture app uses biometric data to compare a user\u2019s image to the Mona Lisa (or any other portrait).<\/p>\n

Biometric Data<\/h2>\n

Biometric<\/a> data is the technical term for calculations based on certain measurements of the body. For example, iris recognition looks at your eye and then computes whether or not it matches the authorized iris. The Google Arts & Culture app takes your photo, then uses machine learning<\/a> to analyze photos of artwork and determine which most closely resemble you. Now enter the Illinois Biometric Information Privacy Act<\/a>. Though Google hasn\u2019t explicitly stated why the feature isn\u2019t available in Illinois, it is likely<\/a> that the Act is a major part of their reasoning.<\/p>\n

Why Illinois?<\/h2>\n

The Illinois law attempts to avoid a leak of biometric data, which cannot be changed by a user. While a leak of something like a credit card number is an annoyance, it\u2019s one that can be remedied by simply calling and cancelling or changing the card. A person\u2019s DNA, iris, or other biometric data can\u2019t simply be reset. The Act recognized that biometric data posed a significant and unique risk to individuals.<\/p>\n

The question still remains, why don\u2019t more states have these types of laws? California has other strong privacy laws (CalOPPA<\/a>), but those only cover online privacy policies. Washington state modeled their biometric privacy law<\/a> after Illinois, but it doesn\u2019t allow consumers to sue (for the record, neither does Texas <\/a>without the Attorney General\u2019s action). In part, it\u2019s likely due to push back<\/a> in the technology industry. Another factor may simply be that these laws are still relatively new; the Act was the first legislation to cover biometrics, and it was only introduced in 2008. More states are beginning to propose their own laws<\/a>, which may indicate that a wave of legislation is coming as the popularity of these types of laws increase.<\/p>\n

Why face ID works and selfies don\u2019t<\/h2>\n

When Apple first announced the face ID unlock for the iPhone X, it raised questions<\/a> about compliance with privacy laws, including CalOPPA & the Illinois Act. Though the iPhone X (and other biometric unlock features such as the Samsung S8) does take data that is protected<\/a> by the Act, that data is stored locally on the device itself. The Act states that a company cannot take and store biometric information offsite<\/em>. This falls in line with the intent of the act by making it harder for a hacker to gain access to a database of biometric information by simply not creating a database in the first place.<\/p>\n

The Google Arts & Culture app tells the user that the selfie they take will not be used for any purpose other than matching the user and a portrait, and that the data will only be stored for as long as necessary to analyze and match the photo. Google claims <\/a>that they aren\u2019t saving users\u2019 selifes, but they are<\/em> sending the selfie offsite to do an analysis. This doesn\u2019t mean that Google is entirely barred from permitting the feature in Illinois, but it does mean that they need to proceed with caution or risk a class action lawsuit. That risk is likely high enough that Google is either not going to release the app in Illinois, or will wait to ensure that they are fully compliant with Illinois\u2019 biometric privacy law.<\/p>\n

But first, let me take a selfie <\/span>read the privacy policy<\/h2>\n

The Illinois Act does list the requirements for a corporation to collect and store biometric information. Summarily, a corporation must inform the user of the intent to collect data, what it will be used for, the risks associated with the data, and obtain written consent. The corporation must also use a reasonable standard of care within the corporation\u2019s industry to then protect that data.<\/p>\n

CalOPPA and the Illinois Act were both monumental in establishing privacy laws by requiring online privacy notices and restricting the collection and use of biometric data and have since inspired other state legislatures to propose their own similar laws. What remains to be seen is whether proposed laws will be as effective as the law in Illinois and how the privacy landscape is changing.\u00a0 At least for now, Illinois residents will have to settle for visiting the Art Institute in Chicago and finding their look alike in person.<\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, Google added new functionality to the Google Arts & Culture app that allows users to snap a selfie and find artwork from around the world that resembles the user. The app very quickly rose to the top of the charts as users around the United States took plenty of photos. Almost everywhere around the United States at least. Illinois and a few other states have laws that prohibit the collection or use of biometric (iris, fingerprint, etc.) data by businesses except under certain circumstances. The Google Arts & Culture app uses biometric data to compare a user\u2019s image to the Mona Lisa (or any other portrait).<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[216,288,289,293,342,550,782,963,1095,1623,1629,1811,1971,2117],"class_list":["post-1553","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-arts","tag-biometric","tag-biometric-information-privacy-act","tag-bipa","tag-caloppa","tag-culture","tag-face-id","tag-google","tag-illinois","tag-cybersecurity","tag-privacy-policy","tag-selfie","tag-texas","tag-washington"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1553"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/1553\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}