Because the United States lacks meaningful federal privacy protections, states have passed a patchwork of laws that are largely favorable to corporations. By contrast, Europe passed the General Data Protection Regulation six years ago, restricting the online collection and sharing of personal data despite a tremendous lobbying push against it by the tech companies.

The Illinois law’s provision allowing individuals to sue the companies, known as a private right of action, has led to hundreds of lawsuits, to surprising success. Google recently agreed to pay $100 million to settle a lawsuit that it had improperly used Illinois residents’ photos, and the company said it will add new prompts to seek consumers’ consent to group photos together. Meta, Facebook’s parent company, will pay $650 million to settle a similar lawsuit filed in the state, and the video streaming platform TikTok’s parent company, ByteDance, agreed to settlement terms over claims that it scanned and used biometric data without consent in Illinois. Snapchat is also facing a class-action lawsuit in the state over its facial recognition practices.

“People don’t realize how much they’re just giving away to these companies,” Faye Jones, a professor at the University of Illinois College of Law, said in an interview. “It’s not that difficult for companies to comply with Illinois’s rules.”

Tech companies, she said, have successfully lobbied for watered down or nonexistent biometric data provisions in other states. In addition to Illinois, Washington and Texas — which is suing Meta for misuse of consumers’ personal data — have broad statutes governing the use of biometric identifiers, but those states do not grant a private right of action. Washington State has failed for three years running to pass a comprehensive privacy bill, in part because of opposition to private right of action provisions.

And while much attention has focused on facial recognition, with local government agency bans on its use in multiple jurisdictions, including San Francisco and Minneapolis, in recent years, technology firms are honing their skills at using other data to identify people, particularly by combining information like our mobile phones’ locations, purchasing data, fitness trackers and license plate scanners, to name a few. A singular focus on facial recognition, while well intentioned, elides the urgent need for broad reforms over consumer privacy.