Incoming Illinois attorney general Kwame Raoul will help steer the ongoing legislative debate about his state’s biometric privacy law.
Tech companies and privacy advocates are battling over a proposal to amend the law regulating the use of biometric data such as fingerprints, iris and retinal scans and facial recognition technology. Raoul (D), elected Nov. 6, has signaled he will weigh in against legislation that would scale back the law.
“States like Illinois have helped tame the Wild West of social media, but there is still much to be done,” Raoul told Bloomberg Law before the midterm elections. “I supported the Illinois Biometrics Information Privacy Act—the strongest law of its kind in the nation—because I understand that people use social media with the reasonable expectation that their biometric data will not be appropriated without authorization.”
Industry groups and companies such as Alphabet Inc.'s Google and Facebook Inc. have lobbied for years to amend the Illinois law. Google lobbyists pushed to include language in an amendment to exclude photos from the law, and Facebook has contributed to campaigns of lawmakers supporting an amendment to scale back the law.
Raoul said he will “oppose ongoing efforts to weaken this law.”
Lobbying efforts have shaped or shut down efforts for similar laws across the country. Only two other states, Texas and Washington, have biometric privacy laws. The Illinois statute is the only one with a private right of action that allows people to sue for alleged privacy violations.
Raoul said he “will work closely with the General Assembly to strengthen or clarify BIPA if amendments are necessary to achieve its purpose in light of changing technology and jurisprudence in this area.”
He also said he’ll press the legislature for stronger laws to protect residents, especially children, from privacy invasions on social media and unauthorized data collection if BIPA “does not prove sufficient.”
Raoul, a former prosecutor and Democratic state senator, defeated Republican Erika Harold for the post. He’s likely to pursue the same kind of privacy agenda as outgoing Democrat Lisa Madigan, who led all 50 states and the District of Columbia in reaching the $148 million settlement agreement with Uber Technologies Inc. over its 2016 data breach and launched investigations into or reached settlements in other privacy and data security actions.
Role in Privacy
To be sure, the attorney general doesn’t have a formal role in the legislative process, and the current Illinois law doesn’t empower him to pursue potential violations, said Scott Pink, Silicon Valley-based special counsel at O’Melveny & Myers LLP.
But that doesn’t mean that Raoul won’t be able to help sway Illinois lawmakers.
“The Attorney General, as chief legal officer for the state, could influence legislators’ approach to this issue,” Pink said. The newly elected attorney general could “influence legislators in deciding whether to give power to the AG in enforcing the law.”
Behnam Dayanim, a Washington-based partner who co-chairs Paul Hastings LLP’s privacy and cybersecurity practice, said “the attorney general’s voice in the debate will matter,” even though the attorney general doesn’t have the power to change BIPA.
State attorneys general “possess a bully pulpit that few other state officials have, because typically it’s the attorney general who is leading the charge on privacy matters,” Dayanim said.
Debate Over Scope
Illinois state Sen. Bill Cunningham (D) introduced a bill (SB 3053) in February that would amend the scope of the law. The bill would allow companies to collect biometric data on employees if they’re used exclusively for employment, human resources, fraud prevention, or security. The proposed amendment would explicitly exempt digital photographs from the definition of a biometric identifier.
BIPA is the “national gold standard on protections for biometric privacy,” Adam Schwartz, San Francisco, Calif.-based senior staff attorney with the Electronic Frontier Foundation, told Bloomberg Law.
The digital rights group fears there will be further efforts to “gut” the law, Schwartz said, but he’s optimistic the law will remain unchanged.
“We think that it’s more likely the law will hold if the legislative muscle of the Illinois AG stands on the side of biometric privacy,” Schwartz said.
Others say that technological advances make it necessary to amend the law.
Tyler Diers, director of legislative relations at the Illinois Chamber of Commerce, said the pro-business lobbying group is in favor of updating the law. The biometric privacy law “is as old as the iPhone 3G,” Diers told Bloomberg Law.
Diers said that it’s hard to predict what the Illinois general assembly will do, and his group is more focused at the moment on the Illinois Supreme Court. A case there, Rosenbach v. Six Flags Entertainment Corp., will determine whether plaintiffs have to show harm to sue under the Illinois law. Oral argument is scheduled for Nov. 20.
—Updates throughout with additional reporting.