Let’s say the state passes a law that says that restaurants may not put worms in hamburgers, and that customers can sue those that do. Your kids eat at the local Annelids franchise on the way home from school, and you later discover that the burgers contain worms. You sue the restaurant, and in response, it says that since your kids didn’t get sick from the experience, it only “technically” violated the law, and you therefore have no basis to either collect damages or force them to stop. That is, on the face of it, a pretty stupid construction of the law, since it would make it totally unenforceable. It is also, more or less, how Facebook, Google, and Six Flags Great America think you should read the Illinois Biometric Privacy Information Act (BIPA).
In a unanimous ruling yesterday, the Illinois Supreme Court said otherwise. The Act regulates companies that collect biometric information like fingerprints and face scans. In the case at hand, the amusement park used thumbprints to identify customers who had bought a season pass, in order to admit them quickly and to stop people from sharing passes (you know the second reason is the real one; since when do amusement parks worry about long lines?). If the company wants to collect such information, it has to inform customers what they’re doing in writing, and get affirmative consent. In particular, the company must “inform[] the subject or the subject’s legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used” (cited in para 20).
This is notice and consent privacy as it should be! There’s a lot of reasons why I don’t think notice and consent privacy actually works – I called it a “successful failure” because the main effect is to teach us that privacy is something we should sell off but without actually protecting privacy. Nobody knows what they’re consenting to, the privacy notices are impossible and long and incomprehensible, and so on. Six Flags et al don’t even get that far: they argue that they don’t actually have to follow the law. So for them, privacy should just be a failure.
Recent Comments