Recently, a guy sued McDonald’s for collecting and then storing facial and biometric data without consent.
In my opinion, this solves nothing as the legal process takes so long, by the time McDonald’s is forced to comply and due to the publicity of the lawsuit, your data could already be in the hands of a malicious third party.
If I tell an attacker hey, this company has millions of voice prints and facial recognition data that just makes them a target everyone is going to try immediately focusing on. Especially if it’s a company that doesn’t usually specialize in protecting that sort of data. A research institute specializing in AIDs, for example is going to protect your info better than if you disclosed that information to your massage therapist. Both because they have different types of focus, and they are legally required to.
While we don’t know the fast food corporations cyber security approaches, if tomorrow I filed a lawsuit claiming “Burger King stores your face and bank information for fast checkout without your permission”, would I be surprised if they were hit by more attacks than usual trying to get at said information that was collected without my permission?
Being constantly careful is the only thing an individual can do unfortunately. While a lawsuit can get your data deleted and maybe a settlement, it also raises the attack surface for the rest of the people from external malicious attacks and the fact they won’t get settlement for their trouble in most cases unless it’s a class action.
So please, think before you file. After all, with how many “we may share information with a third party” clauses that are out there I wouldn’t be surprised if they purposefully stored information on a third party server for cold storage to prove they don’t have your data.
What are some takes and counter arguments to this?