Businesses across the world are harvesting and monetizing our biometrics without our knowledge or consent. For example, Clearview AI extracted faceprints from three billion people, and now it sells face-matching services to police departments. Likewise, retail stores use face surveillance to identify customers they deem more likely than others to engage in shoplifting, often based on error-prone, racially biased criminal justice data. Other businesses profit on tracking of our fingerprints, iris scans, and other biometrics.
So it is great news that U.S. Sens. Jeff Merkley and Bernie Sanders have introduced the National Biometric Information Privacy Act (BIPA). The Act requires businesses to get your opt-in consent before collecting or sharing your biometrics; to delete your biometrics in a timely fashion; and to store your biometrics securely. Most importantly, the bill empowers you (and us) to sue businesses that break these rules.
Biometric surveillance raises special privacy concerns. We expose our biometrics wherever we go, and unlike passwords and ID numbers, we can't get new biometrics when the ones we're born with leak. That's bad news for us. But for governments and businesses (often in partnership), the permanence of our unalterable biometrics makes it easy to track our whereabouts, activities, and associations. That's why biometric surveillance is on the rise.
The National BIPA bill improves upon Illinois’ BIPA law, which is one of the most important privacy laws in the United States. EFF and other privacy advocates have long worked in legislatures and courts to protect and expand this model.
EFF looks forward to helping enact this important federal biometric privacy law.