* The Verge yesterday…

As Zuckerberg prepares to testify before Congress, Facebook is quietly fighting a crucial privacy measure in the Illinois Statehouse. Starting tomorrow, state legislators will consider a new amendment to the Biometric Information Privacy Act (BIPA) that could neuter one of the strongest privacy laws in the US, giving Facebook free rein to run facial recognition scans without users’ consent.

For years, Facebook has been battling a lawsuit based on BIPA, which required explicit consent before companies can collect biometric data like fingerprints or facial recognition profiles. According to the plaintiffs, Facebook’s photo-tagging system violates that law, identifying faces in uploaded photos with no clear notice or consent. (Similar lawsuits have also been filed against Google and Snapchat.) Facebook added a more explicit consent provision earlier this year, but the lawsuit has continued on the basis of the earlier collection.

This week’s amendment would carve out significant new exceptions to the bill, allowing companies to collect biometric data without notice or consent as long as it’s handled with the same protections as other sensitive data. Companies could also be exempted if they do not sell or otherwise profit from the data, or if it is used only for employment purposes.

Sen. Bill Cunningham filed two amendments to his bill, but neither was allowed out of the Assignments Committee this week. This national uproar over Facebook is so hot that Statehouse nerves are a bit frayed. Take a look at the electronic witness slips and you’ll see a load of opponents from the left. Sen. Cunningham told me yesterday that there’s still a lot of negotiating left to do. But Friday is the Senate’s committee deadline, and April 27th is its Third Reading deadline, so they have to move things along.

* This is why the GA has to be careful, however…

Our biometrics are easy to capture. Once captured, we generally cannot change our biometrics, unlike our credit card numbers, or even our names. Databases of biometric information are ripe targets for data thieves. .

* Tribune…

The Senate proposal would allow companies to collect biometric information on their employees if it is used exclusively for employment, human resources or identification, as well as safety, security or fraud prevention.

That’s troubling to Adam Schwartz, a senior lawyer at the San Francisco-based Electronic Frontier Foundation. Currently, employers can take their employees’ fingerprints to have them clock in; they just have to notify them first.

That empowers “workers in Illinois to have a say in what their employers are doing with their biometrics,” Schwartz said. The proposed change would take away that power.

As is the case with many bills, Sen. Cunningham says he started out to address a constituent problem. The law provides for fines of $1,000 per violation if it’s unintentional. Cunningham told me about a nursing home in his district that dumped its old time-card system for fingerprint registration, but was unaware that it needed to notify its employees. So, it faced a penalty of $1,000 for each unintentional offense. That worked out to $4,000 per day per employee - $1,000 when they clocked in, another $1K when they clocked out for lunch, another $1K when they clocked back in from lunch and another $1K when the clocked out at the end of the day. Take that times 200 employees and it was looking at an $800,000 per day penalty.

So, it should come as no surprise that trial lawyers, particularly a narrow set of trial lawyers who file these sorts of lawsuits, are hotly opposed to Cunningham’s bill. Cunningham said he worries about “small employers being sued for technical violations.” But the trial lawyers have a lot of juice in the General Assembly.

* The courts are stepping in…

In a ruling that may have significant impact on the recent wave of biometric privacy suits, an Illinois state appeals court held that plaintiffs must claim actual harm to be considered an “aggrieved person” covered by Illinois’ Biometric Information Privacy Act (BIPA), in a dispute arising from the alleged unlawful collection of fingerprints from a Six Flags season pass holder. […]

The plaintiff, whose son’s fingerprint was collected by Six Flags after purchasing a season pass for one of its Great America amusement parks, filed suit on behalf of her son and similarly situated class members, against Great America LLC and Six Flags Entertainment Corp. for allegedly violating Illinois’ BIPA by failing to obtain proper written consent or disclosing their plan for the collection, use, storage, or destruction of her son’s biometric information. The plaintiff further claimed that had she known of Six Flags’ collection of fingerprints, she would not have allowed her son to purchase a season pass.

Six Flags argued in a motion to dismiss that the BIPA allows only “aggrieved” individuals to sue for all alleged violations, and that the plaintiff’s son and other similar plaintiffs who had not suffered actual harm have not met the necessary threshold to bring a claim.

That ruling is here.

* Back to the Tribune for just one reason why big companies like Facebook and Google are hoping to revise Illinois law…

The law already appears to be influencing some product rollouts. Nest, a maker of smart thermostats and doorbells, sells a doorbell with a camera that can recognize visitors by their faces. However, Nest, owned by Google parent Alphabet, does not offer that feature in Illinois because of the biometrics law. Google’s Arts & Culture app rolled out a new feature late last year that matched users’ uploaded selfies with portraits or faces depicted in works of art, but it’s not available in Illinois, likely due to the state’s biometric law.

Opponents are concerned that the proposed changes would only require private entities to notify people if their biometric data is to be kept for more than 24 hours. Additionally, the law would only protect biometric data linked to “confidential and sensitive information,” such as a driver’s license number or Social Security number.