The Greatest Legislation You’ve By no means Heard Of

This article is part of the On Tech newsletter. You can sign up here to receive it on weekdays.

Americans should be annoyed that companies collect every piece of our data to sell us sneakers or to assess our creditworthiness. A data protection law that few of us know about should also give us hope.

I’m talking about the Illinois Biometric Information Privacy Act, or BIPA. It’s one of the strictest privacy laws in the United States. And 2008 passed when most of us didn’t have a smartphone and couldn’t imagine Alexa in our kitchen.

It applies to Illinois residents only and does not limit anything more than what companies do with data from our bodies, such as facial scans and fingerprints. But its principles and legacy show that effective laws can remove some control from information companies.

BIPA could also show that states can be America’s best laboratory for addressing the disadvantages of digital living.

The pedestrian origins of the law belies how momentous it became. In 2007, a company that let customers pay with their fingerprints in stores went bankrupt and was discussing the sale of the fingerprint database. People who thought it was scary wanted to stop such activities.

Few outsiders paid any attention to the BIPA negotiations, and this may have been the secret to their success. Now tech companies are unleashing armies to divert or shape proposed regulations.

The law text is simple but profound, told me Adam Schwartz, a senior attorney for the Electronic Frontier Foundation.

First, companies behind technologies like voice assistants or photo recognition services cannot use people’s biometric data without their knowledge or consent. Few American privacy laws go that far – and probably none. As a rule, we have to agree to what companies want to do with our data or do not use the service.

Second, BIPA forces companies to restrict the data they collect. These two principles are also contained in the landmark European data protection law.

And third, the law allows people – not just the state – to sue companies. (More on this below.)

One practical effect of BIPA is that Google’s Nest surveillance cameras in Illinois don’t have familiar face recognition capabilities. BIPA could be why Facebook turned off a feature that identifies faces in online photos. Illinois law is the basis of several lawsuits against Clearview AI that have resulted in billions of photos being deleted from the Internet.

However, BIPA has not prevented the data surveillance economy from spiraling out of control.

However, Schwartz said that without the law, companies’ collection of our personal information would have been worse. “BIPA is the gold standard and the kind of thing we want to see in all privacy laws,” he said.

I have already written about the need for comprehensive national data protection law, but maybe it is not necessary. Rather than relying on a dysfunctional Congress, we could have a patchwork of government measures, like less aggressive versions of BIPA and California’s flawed but promising privacy laws.

“There is no magic bill that calls privacy into question,” said Alastair Mactaggart, founder of Californians for Consumer Privacy, who backed these two consumer privacy laws. He said 50 privacy laws could be messy, but better than one weak national law.

BIPA also shows that we shouldn’t feel helpless in controlling our personal information. The data monitoring machine can be tamed. “The status quo is not predetermined,” said Schwartz.

I try not to bore you (and me) with the legislative sausage. However, allow me to sneak in two terms to keep an eye on how more states and Congress are considering regulating tech companies, including privacy, online expression, and limiting their powers.

These terms are private right of action and Right of first refusal.

The first basically means anyone can sue a tech company – not just government officials.

By and large, politicians on the left (and lawyers) say private lawsuits are an effective measure of accountability. Lawmakers on the right and many companies say they are a waste of time and money.

This right of action will be a central point of contention in almost any battle over technology regulation.

Democrats in Congress said they want to tame the power of big tech by, for example, having merchants who feel their businesses are being put down by Amazon are suing the company for anti-competitive measures. This is a deal breaker for many Republicans.

California’s data protection act gives people the right to sue companies for data breaches. Privacy bills that are believed to be more business-friendly – such as a pending law in Virginia – usually don’t give people an opportunity to sue.

And on prevention: it essentially means that every federal law exceeds state laws.

Make yourself comfortable with this concept too, because it could be the focus of future technical battles. My colleague David McCabe said that tech companies worried about future local or state digital privacy laws were talking about Congressional laws that would replace the states.

  • The news is back on Facebook in Australia: My colleagues Mike Isaac and Damien Cave reported that Facebook reached a (temporary) compromise on an Australian bill through which tech companies would pay for news links. Facebook had blocked messages in the country as a result.

  • Buggy software keeps people in jail? The Phoenix public radio station KJZZ reports that hundreds of people are being held there instead for being eligible for release from state prisons because the software does not contain updated criminal laws.

  • She wants some parts of the online learning to be kept: Rory Selinger, a 14-year-old high school student, wrote on OneZero that distance learning freed her to adopt her own learning style, let her teachers provide instant feedback, and eased the school’s social pressures. She wants the flexibility of online learning to redefine education.

Bless this TikTok video of an adorable Chihuahua dancing.

We want to hear from you. Tell us what you think of this newsletter and what else you would like us to explore. You can reach us at

If you do not have this newsletter in your inbox yet, please register here.

Comments are closed.