Does your phone immediately unlock for use after you glance at it?  Have you visited your favorite social media platform only to find that you have been tagged in dozens of pictures?  Or how about that time you scanned your fingerprints or eyes to open your phone, gain admittance to a theme park, or pass through airport security?  These features all involve biometrics technology—the latest trend and high-growth area of technology used to help organizations provide consumers with a more effortless and interactive experience in exchange for personal information about your physical or behavioral attributes.  Companies should be mindful in collecting this data and how they use and store that information.

Biometrics include facial, fingerprint, iris, gestures, and voice recognition.  While biometrics technology is becoming more ubiquitous in daily life and being employed by more governmental agencies and service providers, new privacy considerations will continue to emerge as a result of the pieces of personal information shared by consumers to increase convenience.

Similar to other privacy laws in the United States, there is no single, comprehensive federal law regulating the collection and use of biometric data.  While most states rely on common law to prohibit using an individual’s images without consent while they are in public, some states have already enacted specific biometric privacy laws, and other states have introduced legislation.  An overview of recent legislation is provided below.

2008 – Illinois Biometric Information Privacy Act (BIPA)

In 2008, Illinois became the first state to pass a biometric privacy law.  In the last several years, the number of BIPA class actions filed has exploded across the country.  Illinois’ BIPA considers a retina scan, iris scan, finger print, voice print, hand scan, and face geometry to be “biometric data”.  It does not, however, include demographic data, physical descriptions, writing samples, or photographs.  Generally, BIPA has five main requirements covering businesses working with biometrics:

1. Businesses must obtain informed consent before collecting biometric data.
2. Businesses have limited rights for disclosure.
3. Businesses may not profit from biometric data.
4. Businesses must protect and retain the data according to the statute.
5. Businesses must store, transmit, and protect biometric data using the reasonable standard of care in the businesses’ industry and in a manner consistent with how the businesses’ handle other sensitive information.

There is a private right of action for harmed individuals, allowing recovery of $1,000 per negligent violation or $5,000 per intentional violation.  See, e.g., In re Facebook Biometric Information Privacy Litigation, No. 3:15-cv-03747-JD (N.D. Cal. May 14, 2015).

2009 – Texas Business and Commerce Code § 503.001

In 2009, Texas became the second state to pass its own biometric privacy law.  The Texas law prohibits the capture of an individual’s biometric identifiers (excludes the analysis of biometric indicators), defined as including retina scans, iris scans, fingerprints, voiceprints, and hand or face geometry, for a commercial purpose unless the individual provides informed consent.  Texas also limits the sale or disclosure of an individual’s biometric identifiers without consent or unless allowed by law, must use reasonable care in storing it, and “shall destroy the biometric identifier within a reasonable time.”

Unlike BIPA, there is no private right of action although the state attorney general has enforcement power to seek a steep penalty of $25,000 for each violation.

2017 – Washington H.B. 1493

We did not see another biometrics privacy statute passed until 2017.  In 2017, Washington enacted a biometrics law that applies to individuals and non-government entities, and regulates the collection, storage, and use of biometric identifiers.  The law prohibits any company or individual from entering biometric identifiers into a database without providing notice, gaining consent, and providing a mechanism for preventing the subsequent use of the biometric data for a commercial purpose.  Biometric identifiers include data generated by automatic measurements of an individual’s biological characteristics, including fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns (hand or face geometry not included).  It also specifically excludes physical or digital photographs, and video or audio recordings, signifying that the statute may apply on a limited scope on facial recognition technology.

The Washington law also does not include a private right of action, but allows enforcement by the state’s attorney general under the Washington’s consumer protection act.

2018 – California Consumer Privacy Act (CCPA)

In 2018, California passed the CCPA, which went into effect on January 1, 2020 and expanded its existing privacy and information security regulatory framework to cover biometric data. We have extensively covered the CCPA in prior posts, but in short, the CCPA broadly defines personal information to include biometric data, including physiological, biological and behavioral characteristics.

The CCPA gives consumers a limited private right of action to sue over any improper use of biometric data.  It allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days.  A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief.

2019 – New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)

In 2019, New York expanded its existing data-breach notification laws to cover biometric data with its Stop Hacks and Improve Electronic Data Security (SHIELD) statute.  The SHIELD Act fully went into effect on March 21, 2020.  The SHIELD Act revised the existing definition of covered personal information to include biometric information, such as a fingerprint, voiceprint, retina or iris image, or other unique physical or digital representation of biometric data used to authenticate or ascertain the individual’s identity.  The SHIELD Act applies broadly to “[a]ny person or business which owns or licenses computerized data which includes private information” of a New York resident.

The SHIELD Act requires persons or businesses to develop and implement reasonable safeguards, and to disclose any security breach to the New York residents whose information was compromised.

Although the SHIELD Act does not authorize a private right of action, the state Attorney General may bring an action seeking civil penalties and an injunction.  For data breach notification violations that are not reckless or knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice, including consequential financial losses. For knowing and reckless violations, a court may impose penalties of the greater of $5,000 or up to $20 per instance with a cap of $250,000. For reasonable safeguard requirement violations, a court may impose penalties of up to $5,000 per violation.

In sum, biometrics privacy law is a rapidly growing trend across the nation.  As more states seek to regulate and protect biometric data, persons or businesses that collect, use, and store biometric data should create and implement robust policies and procedures that, at minimum, incorporate reasonable security safeguards and provide for notice and consent requirements.