Biometrics are physical or behavioral human characteristics that can be used to digitally identify a person to grant access to systems, devices, or data. Examples of biometric identifiers are fingerprints, facial geometry scans, and voice prints, as each are considered unique to the individual. Unlike a Social Security number, a person’s biometric data generally cannot be altered.
States have begun enacting laws specifically addressing the collection and safekeeping of biometric data, with more states expected to follow suit in the coming years. By far the most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of hundreds of class action lawsuits in the last few years alone. While none of these class actions have yet gone to trial, there have been some noteworthy large settlements of cases.
A BOOM IN BIOMETRICS
The use of biometrics in the business world has become widespread, and the types of usage are constantly evolving. With new technological developments—and the technology itself becoming more readily available—industries of all sizes and kinds are using biometrics for many different purposes.
For example, fingerprint readers and facial geometry scanners are growing in use across healthcare settings. With just a touch of a finger or scan of a face, biometric tools can identify and authenticate patients and employees by detecting unique biological information. They often improve the accuracy of recordkeeping and guard the physical security of medications, thus reducing errors.
These technologies—aimed at increasing security and, to a lesser degree, convenience—do raise concerns about and risks to data privacy and cybersecurity. However effective, convenient, or efficient these technologies may be, companies need to think carefully about their adoption and implementation.
KEY COMPONENTS OF BIPA
BIPA requires private entities that obtain biometric information or identifiers to first inform the subject in writing that their information is being collected and stored, inform the subject of the specific purpose and term for collection and storage, and secure a written release from the subject. BIPA also prohibits the disclosure of biometric information without the subject’s consent.
Private entities also cannot sell, lease, trade, or profit from a person’s biometric information. Further, BIPA requires a private entity in possession of biometric identifiers and information to develop a publicly available written policy establishing a retention schedule and providing guidelines for the permanent destruction of the information. Any person aggrieved by a BIPA violation may file suit to recover statutory damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus reasonable attorney fees and costs. To establish standing, actual harm is not required and mere procedural violations are sufficient.
SIMILAR STATUTES IN TEXAS & WASHINGTON
Texas and Washington also enacted statutes governing their residents’ biometric data. Although neither statute provides a private right of action (instead leaving enforcement to the state attorney general), both states’ laws do impose certain notice and consent requirements, along with biometric data retention limits.
Numerous other states continue to consider legislation akin to the Illinois, Washington, and Texas laws. There is not yet a single, overarching federal law governing biometrics, despite some industry-specific laws incorporating biometrics protections in limited fashion.
CONSIDERATIONS FOR COMPANIES THAT EMPLOY BIOMETRICS
Companies that handle biometric data—especially but not only biometric data belonging to Illinois, Texas, or Washington residents—should be aware of the numerous requirements that BIPA and the other state statutes imposes.
Companies should consider complying with BIPA and similar state regulations—even if not necessarily subject to the statutes—to mitigate the risk from the uncertainty of the statutes’ scope and application, to help deter costly litigation, and to provide a degree of insurance against future biometrics laws.