When night fell, a clerk at a bustling 24-hour MotoMart flipped a switch from behind the counter.
Electromagnetic locks sealed the doorway. A window sign, now illuminated in red, warned “facial recognition technology in use” and directed customers to “look up at the camera.”
On this recent weeknight, a woman who wanted cigarettes was locked out. Confused at first, she quickly realized that she needed to remove her medical mask. After her unobstructed facial image was scanned into a store computer, then screened against the company’s photo archives of previous customers convicted of store-related crimes, the doors clicked open.
Just a few miles away, across the Missouri state line in Illinois, such screening is against the law under the toughest privacy laws in the country. Private companies must obtain written consent before stockpiling facial images or any biometric identifier – fingerprints, palms, eyes and voice.
The contrast speaks to America’s digital privacy divide. On one side is Illinois, along with two other states and several U.S. cities that currently require some form of public disclosure or consent to a biometric screening. On the other is the rest of the country, including Missouri, where private sector uses are by and large unrestricted.
Illinois’ law prohibits private sector companies and institutions from collecting biometric data from unsuspecting citizens in the state or online, no matter where the business is based. Data cannot be sold, transferred or traded. Unlike any other state, citizens can sue for alleged violations, which has sparked hundreds of David-and-Goliath legal battles against some of the world’s most powerful companies.
A Reuters review of nearly 750 individual and class-action suits filed in Illinois since 2015 found widespread evidence that private companies, without disclosure or consent, have collected, tagged and categorized biometric data gleaned from millions of unsuspecting Americans. Most suits have been filed since 2019, when the Illinois Supreme Court, in a bombshell decision, ruled plaintiffs did not have to show harm to collect damages.
Privacy advocates warn that the swift, largely unchecked growth of such tracking technologies has outpaced existing laws in most states, leaving individuals vulnerable to identity theft, invasion of privacy and discriminatory practices. Unlike a credit card or driver license, a person’s biometric data is unique and cannot be changed or replaced.
The MotoMart system is designed to protect privacy with tamper-proof software that prohibits owners from importing or exporting biometric data involving any outside source, said Thomas Sawyer, a retired St. Louis police detective. He co-founded Blue Line Technology, LLC, which created the store’s face recognition system, with a group of former and active law enforcement officers.
“We want people to know they are being watched,” he said. “That’s why we have signs and a flashing light.”
Court records show that many companies use biometric systems to track employee and student performance or monitor customers in order to develop marketing and sales strategies. The suits detail how companies or institutions allegedly used a fingerprint database of amusement park visitors, including children, to look for signs of ticket fraud; examined college students’ eye movements and typing cadence for signs of cheating; and monitored employee interactions – whom they talked to and for how long – and frequency of their bathroom breaks.
Cases are also pending against global web-based giants including Amazon.com Inc (AMZN.O), Apple Inc (AAPL.O) and Alphabet Inc’s Google (GOOGL.O), as well as brick-and-mortar corporations such as McDonald’s Corp (MCD.N). The food chain is accused of recording voices of some drive-thru customers to track purchasing patterns, according to the suit. Complaints against the four companies are pending. All four declined to comment.
In court papers, Amazon, Apple and Google denied any violation of Illinois’ law, maintaining that privacy disclosures were provided to all users. Also in court filings, McDonald’s disputed the accusations against the company and asserted that voice data was used for training purposes and “not to identify individual speakers.”
If a company is found to have violated Illinois law, citizens can collect civil penalties up to $5,000 per violation compounded by the number of people affected and days involved. No state regulatory agency is involved in enforcement.
Some companies have opted for staggering settlements. Facebook settled for $650 million last year following accusations that the social media giant collected millions of facial photos without proper consent. Earlier this year, Tik Tok’s China-based parent ByteDance settled for $92 involving similar allegations. Neither company acknowledged wrongdoing and neither responded to Reuters requests for comment.
At least half of pending suits involve regional or local companies. A court verdict or settlement – even for violations that did not result in measurable harm – could be financially crippling and lead to layoffs, said Jack Lavin, chief executive officer and president of the Chicagoland Chamber of Commerce.
“Illinois law has been weaponized,” he said. “It’s created a cottage industry for suing companies.”
The U.S. Chamber of Commerce’s Institute for Legal Reform labels Illinois a “judicial hell hole.”
FINGERPRINTING AT THE GROCERY STORE
It seemed like an idea out of science fiction: using a fingerprint scanner to buy groceries. But in 2008, a California company swept into Illinois with just such a futuristic online marketing pitch: “Imagine this. At checkout, you place your finger on a small scanner. Instantly you see a list of your payment accounts on a screen, checking account, credit or debit card … no cards, checks, cash – or hassle.”
Soon after shoppers signed up, the company declared bankruptcy. Court filings revealed that the company planned to liquidate inventory, including the fingerprint database, to outside companies.
The Illinois chapter of the American Civil Liberties Union leapt to action and sponsored legislation that became the Illinois Biometric Information and Privacy Act, or BIPA. The California company’s fingerprint database was destroyed.
“We aren’t trying to ban technology,” said spokesman Ed Yohnka. “We want to put protections in place to control, manage, inform and obtain consent.”
Only two other states currently enforce comprehensive biometric privacy laws. Texas and Washington regulate compliance through a government agency, like an attorney general, a Reuters review of state records show. However, both states’ laws are generally viewed as weaker than Illinois’ mandates by privacy advocates; agencies often seek voluntary reform if violations are substantiated. California will implement more comprehensive privacy protections in 2022, which will limit how data is collected and create a new state regulatory agency focused on consumer privacy laws.
Meanwhile, pro-business groups are fighting to modify Illinois’ law.
In January, the Chicago chamber of commerce sponsored legislation to soften financial penalties and eliminate citizens’ right to sue, known in legal parlance as a “private right to action.” The measure failed for lack of support.
‘WE COULD DO ALL KINDS OF STUFF WITH THIS!’
The Missouri MotoMart was the first store in the country to install the surveillance lock-out device created by Blue Line. The firm represents one of dozens of nascent companies in America that are struggling to gain prominence in the facial recognition industry, focusing on small businesses with tight budgets.
Blue Line launched in 2015 after Sawyer visited his friend, Marcos Silva, a former military software programmer who now works as a St. Louis police detective.
“Do you want to see something in my garage?” Sawyer recalled Silva asking.
Silva demonstrated a prototype for a face recognition program. Sawyer said he blurted, “We could do all kinds of stuff with this!”
Today, Blue Line oversees about 50 systems, which cost about $10,000 each, in convenience stores and gas stations in 12 states. A private Catholic high school in suburban St. Louis also uses the Blue Line system to verify student identities before they can enter the building.
But Blue Line confronts a shifting regulatory landscape. A Portland store abandoned its system after the city council voted to prohibit private sector use of face recognition beginning this year. The ban does not apply to government or law enforcement.
Dozens of cities are now weighing new biometric restrictions. New York City modeled much of its new privacy law this year after Illinois; businesses are required to publicly and prominently disclose when biometric systems are used.
Cities should “press pause” on allowing biometric technologies until laws require public transparency and corporate accountability, said Alan Butler, executive director of Wash. D.C.-based Electronic Privacy Information Center.
Without legal safeguards, he said, real-time face recognition systems like the one developed by Blue Line represent a “systemic threat to privacy.”
But Sawyer said he has proof Blue Line’s program works. He showed Reuters a six-second video from July 2018 at an AM/PM convenience store in Yakima, Washington.
At 1:20 a.m., two young men wearing ski masks dashed to the store’s front door. Both appeared to clutch handguns under dark clothing. One man pulled the door handle, locked by Blue Line’s system. Both men turned and ran.
Kush Hans, the owner of the store, said he installed the Blue Line system in 2017 after a masked robber fatally shot a 25-year-old clerk, a family relative.
Since face recognition has been installed, there have been no more robberies, he said.