Companies in all industries and of all sizes are increasingly using biometric data—fingerprints, voiceprints, and facial structure, to name three—as a faster, more reliable, and more economical alternative to passwords and other forms of security. Biometric data is not typically stored in the form in which it is captured, and risks associated with a breach of biometric data are therefore greatly minimized compared to other forms of stored sensitive data. The downside is that, unlike a Social Security number, for example, a person’s biometric data generally cannot be altered, creating a much longer tail on the risk that does remain, and one with a greater potential for harm. As a result, states have begun enacting laws specifically addressing the collection and safekeeping of biometric data, with more states expected to follow suit in the coming years.

By far the most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of hundreds of class action lawsuits in the last few years alone. Companies that handle biometric data—especially but not only biometric data belonging to Illinois residents—should be aware of the numerous requirements that BIPA imposes. Texas¹ and Washington² have also enacted statutes governing its residents’ biometric data. Although neither provides a private right of action, both states’ laws do impose certain notice and consent requirements, along with biometric data retention limits. Other states continue to consider legislation akin to the Illinois, Washington, and Texas laws.³ There is not yet a single, overarching federal law governing biometrics,⁴ despite some industry-specific laws incorporating biometrics protections in limited fashion.⁵

In addition to being the only statute to provide a private right of action, BIPA imposes the strictest requirements on private entities that collect, store, or use biometric data. The law also contains important ambiguities, including as to the extent of its extraterritorial reach, whether and how it applies to photographs and the scope of its applicability to service providers which are not customer-facing. Companies may want to consider complying with BIPA, even if not necessarily subject to its reach, to mitigate the risk of falling within BIPA’s strictures, to help deter costly litigation, and to provide a degree of insurance against future biometrics laws. 

What is covered by BIPA?

BIPA encompasses what it defines as “biometric identifiers” and “biometric information,” to which we will refer collectively as “biometric data.” Biometric identifiers include “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”⁶ Biometric information, in turn, is defined as “any information” based on a biometric identifier that can be used to identify that individual. According to one court, “whatever a private entity does in manipulating a biometric identifier into a piece of information, the resulting information is still covered by [BIPA] if that information can be used to identify the person,” even if the resulting information is a “mathematical representation or, even simpler, a unique number assigned to a person’s biometric identifier.”⁷

It is essential also to understand what kind of information is not covered by BIPA. Writing samples, demographic information, and physical descriptions are excluded, as are biological materials covered by the Genetic Information Privacy Act and information collected “in a health care setting.”

Importantly, photographs are excluded from the definition of a biometric identifier under BIPA,⁸ and the definition of biometric information explicitly states that it does not include information derived from items excluded under the definition of biometric identifiers.⁹ Nonetheless, a few courts have held that a scanned photograph can be subject to the requirements of BIPA in certain circumstances. As one court put it, the law “does not specify how the biometric measurements must be obtained,” and “particular biometric identifiers can, in fact, be collected in various ways without altering the fact that the measurements still are biometric identifiers” subject to BIPA’s protections.¹⁰ According to that same court, the “bottom line is that a ‘biometric identifier’ is not the underlying medium itself, or a way of taking measurements, but instead is a set of measurements of a specified physical component (eye, finger, voice, hand, face) used to identify a person.”¹¹ Therefore, if a private entity uses an individual’s biometric measurements contained in a photograph to ultimately identify that individual, it could constitute a “scan of face geometry,” one of the biometric identifiers defined in BIPA.

To presume that BIPA’s “scan of face geometry” biometric identifier would only apply to an in-person scan of an individual’s face, as opposed to any scan from which biometric measurements could be taken, would be a higher risk interpretation, or, in the words of the Northern District of Illinois, a “narrow” and “problematic” reading of BIPA.¹² Indeed, Facebook, Google, and Shutterfly have been named in class action lawsuits arising from allegations that individuals’ biometric identifiers were gathered from photographs uploaded to the defendants’ websites.¹³

Therefore, to mitigate risk, if a company is using photographs for facial identification purposes, it may be wise for it to follow the BIPA requirements.

Who is subject to by BIPA?

Illinois residents asserting BIPA violations have mostly been employees or consumers whose biometric data was collected in the course of their employment or use of a defendant’s commercial services. BIPA regulates any private (non-governmental) entity that collects, stores, uses or profits from biometric data belonging to Illinois residents.¹⁴ Some private entities, however, are exempted. Most notably excepted, are those financial institutions or their affiliates subject to the privacy notice provisions of the Gramm-Leach-Bliley Act of 1999.¹⁵ Furthermore, by its own terms, BIPA cannot conflict with the HIPAA, the X-Ray Retention Act, or the Private Detective, Private Alarm, Private Security, Fingerprint Vendor, and Locksmith Act of 2004.

Whether BIPA applies extraterritorially to non-Illinois companies remains somewhat of an open question. At least two BIPA defendants located outside the state raised the issue at the motion to dismiss stage, and although the Northern District of Illinois found that there are “legitimate extraterritoriality concerns,” and that BIPA does not apply extraterritorially “as a matter of law,” the defense has not been sufficient—at least yet—to warrant dismissal of a BIPA claim.¹⁶ Similarly, the viability of constitutional defenses, including under the Dormant Commerce Clause or Due Process Clause, is not entirely clear.

What’s at stake?

For several years following its enactment in 2008, BIPA sat relatively dormant. Then, beginning in about 2015, several plaintiffs’ firms began filing putative class action complaints against some of the most well-recognized companies in America. The increasing proliferation of BIPA class action lawsuits is no surprise in light of two facts: first, the use of biometrics is growing rapidly in all industries and for a variety of purposes; and second, BIPA provides an exceptionally rich incentive to plaintiffs’ attorneys filing these lawsuits. Indeed, the statute provides for recovery of liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus recovery of fees and costs, including legal and expert expenses.¹⁷

In January 2019, the Illinois Supreme Court found that a plaintiff need not allege actual harm, separate from a violation of BIPA, to satisfy the “aggrieved” person standard under the law. See Legal Alert: The floodgates open – Illinois Supreme Court issues landmark ruling in biometrics case. This is particularly important in this context because there have been no BIPA complaints arising from a breach of biometric data, so plaintiffs have generally been unable to plead actual harm in connection with a violation of this law. Contrary to the Illinois Supreme Court, most federal courts have dismissed complaints where there are no allegations of actual harm necessary to satisfy the injury-in-fact requirement of Article III of the US Constitution. 

Given the outsized damages at stake, let us turn to what BIPA requires of companies that handle biometric data.

What does BIPA require?

BIPA imposes five general requirements on companies that use biometric data in one form or another.¹⁸

1. Consent: Collection, Use, Storage

The subject of the vast majority of BIPA lawsuits thus far is found under Section 15(b), which imposes written consent requirements on private entities that “collect, capture, purchase, receive through trade, or otherwise obtain” an individual’s biometric data. The obtaining entity must explain why and for how long the biometric data is being collected, stored, or used, and the individual (or that person’s legally authorized representative) must execute a written release. 

A critical point of ambiguity in the law is whether, as a practical matter, its notice and consent requirements can apply equally to those that collect biometric information and to those that receive it. The provisions of Section 15 are not phrased in the passive voice, such that a processor or service provider would merely have to ensure, via contract with the collector, that appropriate consent has been obtained. Instead, the company itself appears to have to inform the individual and collect its written consent. Plaintiffs have seized on the broad provision to assert BIPA violations against third-party vendors who may store or use biometric data despite not necessarily interfacing directly with individuals from whom the biometric data is collected. 

As a risk mitigation measure, therefore, to the extent a service provider or processor does not have the opportunity to collect consent directly, it may try to ensure, via contract or through software modifications, that the collectors are naming them in the consent requests. For the same reasons, service providers may consider including indemnity provisions specifically tied to complying with BIPA. 

2. Consent: Disclosure & Dissemination

The statute includes a separate consent requirement for private entities that intend to disclose an individual’s biometric data. Entities responding to warrants or subpoenas are not bound by this requirement, nor are entities using the biometric data to complete a financial transaction by the individual. 

Both consent requirements can be satisfied in the employment context by obtaining a written release as a condition of employment. 

3. Prohibition against profiting

In addition to its consent requirements, BIPA explicitly prohibits private entities from selling, leasing, trading, or “otherwise profit[ing] from” an individual’s biometric data. This has not generally been the subject of BIPA class actions, thus raising a question of how broadly courts will interpret the phrase “otherwise profit.”

4. Retention Policy

Companies subject to BIPA must also develop, publish, and abide by a retention schedule for biometric data they collect. Biometric data must be destroyed by the earlier of the time at which the purpose of the initial collection has been satisfied or three (3) years from the last interaction between the entity and the individual. Companies must make this retention schedule publicly available.

5. Reasonable Standard of Care

Finally, entities that possess biometric data governed by BIPA must “store, transmit, and protect” biometric data: (1) using the reasonable standard of care in the entity’s industry; and (2) in a manner consistent with how the entity handles other sensitive information. This two-prong requirement highlights the need for companies to incorporate biometrics into their data compliance programs and to stay abreast both of security threats as well as prevention and response best practices. In other words, the requirement for reasonable security features means a risk-based approach and a dedicated—and documented—commitment to a continuous culture of cybersecurity. 

Conclusion

States recognize that biometric data presents not only unique opportunities but also unique risks. To quote the Illinois legislature: “Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.” With that as a backdrop, states have stepped in to regulate the space, in ways that carry the potential for substantial costs for even the appearance of noncompliance. Given the doubt surrounding BIPA’s extraterritorial reach, its implications for photographs, its applicability to service providers, and the practical difficulties in parsing data by state residency, companies unsure of whether and when BIPA applies may want to consider a proactive and prudential compliance program. Even those companies that do fall definitively under BIPA may want to make sure they have a mechanism in place to ensure continuous compliance with BIPA’s security requirements.
____
  
¹ Tex. Bus. & Com. Code Ann. § 503.001 (2009).
  
² Wash. Rev. Code § 19.375 (2017).
  
³See, e.g., Alaska, Delaware, Massachusetts, Michigan, and New York.
  
⁴ Over the last few years, a few bills have been proposed. For example, on March 18, 2019, members of the Senate Committee on Commerce, Science, & Transportation, introduced the Commercial Facial Recognition Privacy Act of 2019. As written, the bill only applies to facial recognition technology and would not supersede state laws. The bill has not yet moved out of committee. 
  
⁵See, e.g., the Health Insurance Portability and Accountability Act (HIPAA); Gramm-Leach-Bliley; and the Children’s Online Privacy Protection Act (COPPA).
  
⁶ 740 ILCS 14/10 (2008).
  
⁷Rivera v. Google, 238 F. Supp. 3d 1088, 1095 (N.D. Ill. 2017); see also Norberg v. Shutterfly, Inc., 152 F. Supp. 3d 1103, 1106 (N.D. Ill. 2015); In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155, 1172 (N.D. Cal. 2016).
  
⁸ “Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” 740 ILCS 14/10.
  
⁹Id.
  
¹⁰Rivera, 238 F. Supp. 3d at 1095 (emphasis in original).
  
¹¹Id. at 1096.
  
¹²Monroy v. Shutterfly, No. 16 C 10984, 2017 WL 4099846, at *3 (N.D. Ill. Sept. 15, 2017); see also In re Facebook, 185 F. Supp. 3d at 1172.
  
¹³See Rivera, 238 F. Supp. 3d at 1097 (“if Google simply captured and stored the photographs and did not measure and generate scans of face geometry, then there would be no violation”) (emphasis in original).
  
¹⁴ The exemption for governmental entities extends to contractors and subcontractors.
  
¹⁵ 740 ILCS 14/25.
  
¹⁶Rivera, 238 F. Supp. 3d at 1100; see also Monroy, 2017 WL 4099846, at *6.
  
¹⁷ 740 ILCS 14/20.
  
¹⁸ 740 ILCS 14/15.

[View source.]