In the coming weeks, nearly 1.6 million Illinoisans will receive a check in the mail for $397 from Facebook, the result of a class action lawsuit filed against the social media company that began almost seven years ago. While Illinoisans across the state celebrate the extra cash in their pocket, they might not be aware of the privacy protections in place that led to that payout – protections that are in jeopardy in the state legislature right now.

The lawsuit against Facebook centered on the company’s violation of the Biometric Information Privacy Act (BIPA), an Illinois state law passed in 2008 to guide how companies must handle Illinoisans’ biometric data, which includes fingerprints, hand scans, facial geometry, eye scans, voiceprints, and other unique biological information. Much like DNA, the distinctive anatomical features are unique, universal, and immutable. The ease with which biometric identifiers are electronically extracted, stored and disseminated makes them vulnerable to abuse from entities seeking to profit off the data, hackers bent on identity theft, and foreign governments building databases of U.S. citizens.

BIPA requires companies to get informed consent from an individual before collecting their data, and prohibits companies from selling or profiting in any way from that information. If you use face ID to unlock your iPhone, or your fingerprint to get into your bank account, the information a company can glean from those actions is protected by BIPA in Illinois.

BIPA is also one of the only laws of its kind that allows consumers to take a company that violates the law to court, which is how the lawsuit against Facebook came to be. In 2015, an Illinois man filed a lawsuit alleging that Facebook’s practice of facial tagging in photos without consent violated BIPA, and nearly 1.6 million Illinoisans ended up joining the successful class action suit.

While the case against Facebook is certainly the most high-profile BIPA settlement, it is far from the only one. To date, there have been approximately 100 BIPA class action settlements, which have resulted in more than $900 million being recovered on behalf of the approximately three million Illinoisans whose biometric privacy rights were violated. In the employment context, the average recovery is approximately $900 per person.

However, these crucial protections for our most personal data, and the ability to hold those accountable who violate them, are under attack in our state Capitol. Right now, there are several pieces of legislation under consideration in Springfield that would chip away at BIPA and leave Illinoisans vulnerable to invasions of privacy and abuse of this data, including SB3874, SB3413, and SB3782. With our most personal information on the line, we cannot allow this legislation to move forward.

The legislation under consideration would make it easier for companies to collect biometric data without informed consent if they claim it’s being used for “security purposes.” It also gives certain employers the ability to keep records of their employees’ sensitive information. This is not just a slippery slope to the complete gutting of BIPA, but extremely dangerous in its own right.

Allowing biometric data to be used to identify and track people without their consent is not only an invasion of privacy, it can lead to discriminatory outcomes. Facial recognition technology has been proven time and again to be inaccurate, particularly for women and people of color. If companies can rely on this information to try to track down an individual who committed a retail theft or may have trespassed on private property – as proposed legislation would allow – it could lead to the wrong person being accused of these crimes.

Additionally, the greater the number of parties that have access to your biometric data, the greater the risk that it will be abused, misused, sold, or stolen. Biometric data isn’t like credit card information or a phone number. You can’t get a new fingerprint or change the results of a scan of your retina, which is exactly why we need to ensure this data is treated with the utmost security and protection.

Andrew C. Ficzko is a Partner at Stephan Zouras, LLP, a law firm helping people vindicate their biometric privacy rights under BIPA.

