As companies across industries continue to take advantage of existing and emerging technologies that involve the collection and use of human biometric identifiers, corporate privacy programs must take into account the unique legal and compliance concerns associated with this form of personal data. Currently, the state of Illinois has the most mature regulation, which is heavily litigated and aggressively enforced. Illinois is not alone among states, however, and we anticipate biometric privacy rights will expand across the US in the years to come.
With this in mind, organizations would do well to comply with current laws while implementing privacy-by-design programs that anticipate the changing landscape. The following five steps incorporate bedrock biometric privacy program considerations.
- Determine if your company collects biometric information. It is universally recognized that all entities should identify the types of personal data they collect. It is particularly important for entities to recognize that biometric information is uniquely defined and addressed under numerous laws that impose ever-evolving requirements. It therefore is significant, and not necessarily trivial, to determine if your organization holds biometric data as defined by law.
- If biometric data is collected or used, be prepared to determine which laws apply based on corporate location, collection location, use location, and/or the state of residency of associated individuals. Companies also may find it helpful to segment consumer data from employee data, as some statutes offer different protections for each group. Such assessments should occur frequently to ensure that business operations comply with applicable state biometric information protection statutes.
- Depending upon jurisdiction, disclose that biometric information will be collected and obtain written consent. If a company does collect biometric information in certain jurisdictions or of the residents of certain states, it must make adequate disclosures to those individuals and must obtain their written consent before collecting or using the biometric information. For employers, this typically may occur during the employee's onboarding process. For companies collecting biometric information through mobile applications or software, this often may be achieved when the application or software is first installed by the user.
- Implement an appropriate biometric retention schedule. As required under some laws, and consistent with traditional principles surrounding privacy, risk mitigation and business efficiency, companies should determine at the outset how long they plan to retain biometric information, who will have access to that information, how the information will be maintained, and what level of security will be applied to that data.
- Destroy biometric information that the business no longer needs. Business leaders should determine the length of time biometric information should be maintained before it is destroyed. Best practices suggest destruction should be scheduled as soon as practicable after it is no longer necessary for a business purpose to prevent inadvertent disclosures. For example, an employer may choose to destroy biometric information of employees shortly after termination or resignation; an amusement park may choose to remove biometric information at the end of its season, and big tech companies may choose to remove the biometric information of users when an account is deactivated or when users remove the images containing their biometric information. To be sure though, destruction may be required under state law. In Illinois, for example, an entity must destroy biometric information according to the entity's policy or no longer than three years after the individual's last interaction with a company. Although other states may permit biometric information to be retained for a longer period of time, companies should take into account the significant reduction in their potential legal liability (especially in relation to a data breach) once data is destroyed.
Discussion: How Illinois has shaped the biometric privacy landscape
In 2020 alone, more than 200 lawsuits have been filed alleging violations of Illinois' Biometric Information Privacy Act (BIPA). Many of the cases are class actions, which present significant potential liability and exposure for many businesses–no matter their size. To be sure, large companies are top of mind for plaintiffs' counsel.
For example, earlier this year a "big tech" company reached a US$650 million settlement in a class action lawsuit alleging it violated BIPA through its use of facial recognition software. More states are likely to enact consumer protection statutes to safeguard the biometric information of their residents. Therefore, now is the time to develop a robust and nimble compliance program that can quickly be adapted to meet the varying landscape and requirements of each law.
What is BIPA?
In 2008, Illinois enacted BIPA to "regulate the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers." BIPA was enacted to protect Illinois citizens from identity theft, as biometric data cannot be changed if it is compromised.1 Under BIPA, any private entity who possesses biometric identifiers or biometric information of Illinois residents must develop and follow a written policy that is publically available.2
BIPA defines private entity broadly, and includes "any individual, partnership, corporation, limited liability company, association, or other group[.]"3 Biometric identifiers are defined as retina or iris scans, fingerprints, voiceprints, or the scan of a hand or an individual's face geometry.4 Finally, biometric information means "any information, regardless of how it is captured, converted, stored, or shared," which is based on an individual's biometric identifier and used to identify an individual.5
In order for a private entity to collect or possess a customer's biometric information, it must first inform the data subjects in writing: (a) that it is collecting such information; (b) its purpose for collecting the information; and (c) how long the private entity will retain the information.6 In addition, the entity must obtain written consent from the data subject to legitimize the collection.7 The entity must then use reasonable care to store, transmit and protect the biometric information in its possession, and at no time provide less protection than it does for its own confidential information.8
The most significant aspect of BIPA is that it provides for a private right of action for negligent violations, which allows individuals to recover liquidated damages of US$1,000 or actual damages, whichever is greater.9
Furthermore, for intentional or reckless violations, individuals may recover liquidated damages of US$5,000.10 Plaintiffs may also seek attorney's fees.11
Compounding the potential impact of the law, in 2019, the Illinois Supreme Court held that a private entity's violation of BIPA is sufficient to impose liability, despite the plaintiff not alleging actual injury.12 In other words, an individual can recover damages from a private entity solely on the basis that it did not comply with one of BIPA's requirements. As such, the rationale adopted by the court provides plaintiffs an easier road to recovery, which has in turn led to an explosion of lawsuits.
In August 2020, plaintiffs sued a social media company under BIPA alleging that it unlawfully "collected, captured, obtained, [and] disclosed" biometric information of users without providing proper notice and obtaining consent. Specifically, the plaintiff class alleged the company used its facial recognition technology to analyze the facial features of individuals appearing in photographs and videos uploaded to its platform to create a face template, which it then cross-referenced against other photos.
In September 2020, a minor sued another emerging social media giant, alleging the company collected and stored user face templates and voiceprints without first obtaining consent. The plaintiff further alleged the company used the identifiers "to derive other personally identifying ‘biometric information' pertaining to their users, including age, gender, race, and emotional state, all of which is then linked with the user's name, e-mail address, and other unique identifiers in [the company's] database."
In January 2019, the Illinois Supreme Court held that an amusement park that collected the fingerprint scans of its season pass holders without providing proper notice and obtaining consent may be held liable for BIPA violations. The company argued it collected the biometric information to prevent fraudulent entry to its park and to quickly identify patrons when they returned. Nonetheless, this legitimate use did not prevent the company from facing liability.
In August 2020, a retail store was sued based on allegations that it uploaded images from its in-store video surveillance system to a database that searched for matches based on the facial template and remitted any results back to the retailer. The plaintiff alleged the retailer failed to inform customers of the collection, disclose the length of retention, and obtain consent, thereby violating BIPA.
In perhaps the most common type of cases, employers often collect fingerprint or iris scans of their employees for timekeeping purposes or to grant access to restricted areas. There have been several cases filed by employees alleging that their employers failed to comply with BIPA. For example, in one instance an employee sued his former employer, a nursing home, for requiring employees to scan their fingerprints into a time tracking system. The ex-employee alleged the nursing home did not inform plaintiff (and class members) in writing of the purpose and length of time the fingerprints were being collected, stored and used; failed to provide a retention schedule and guidelines for destroying fingerprints; and failed to obtain written consent prior to its collection.
In reviewing BIPA cases, a few key issues emerge.
First, lawsuits likely will continue to be brought as class actions because the alleged underlying BIPA violations typically apply in common to large groups of employees or customers. The Illinois Supreme Court decision that actual injury need not be proved to maintain a successful action for damages makes it easier to proceed as a class and show that common issues of law and fact predominate over individual inquiries of harm.
Second, federal courts may not have Article III standing to adjudicate suits stemming from strict compliance violations of BIPA. In 2018, a case against a big tech company was dismissed after the court found the plaintiff did not suffer an injury in-fact sufficient to confer the necessary subject matter jurisdiction to proceed in federal court. However, the plaintiffs did not allege that they suffered "any financial, physical, or emotional injury apart from feeling offended by the unauthorized collection," which may have been sufficient for the case to proceed to trial.
Third, BIPA's text does not provide a statute of limitations. This creates a significant litigation risk, as companies may be held liable for violations occurring before they became compliant with the law. For example, an employer who is BIPA non-compliant and collects the biometric information of employees may be sued years later by an employee, despite the employer becoming BIPA compliant before the lawsuit was filed.
Other Biometric Statues
Since BIPA's enactment, Texas and Washington followed suit and passed legislation to protect the biometric information of its citizens, and Alaska and Nevada have enacted laws that focus specifically on the collection of genetic information.
Texas enacted the Capture or Use of Biometric Identifier (CUBI) in 2009, the year after Illinois. Texas similarly defines a biometric identifier to include eye scans, fingerprints, voiceprints and hand or face geometry.13 The law prohibits the collection of such identifiers without first informing the data subject and receiving their consent.14 CUBI also limits the sale and transfer of biometric identifiers, requiring the data subject's consent of the disclosure or as required by a few delineated governmental purposes.15 Differing from BIPA, there is no private right of action. Although a violation of CUBI can lead to US$25,000 civil penalty for each violation, enforcement of the law is limited to the state attorney general.16
In 2017, Washington enacted its biometric privacy law.17 It prohibits the enrollment of biometric identifiers in a database for a commercial purpose without first providing notice and obtaining consent. It also requires additional consent to sell or transfer a collected biometric identifier. A key difference in Washington's law is that its scope is limited to commercial purposes, defined as the "sale or disclosure to a third party of a biometric identifier for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier." Enforcement is limited to the attorney general under Washington's Consumer Protection Act, who may seek civil penalties up to US$500,000 against companies.
A wider trend is seen in the number of states that now expressly include biometric data within their definition of the types of "personal information" subject to their breach notification laws. These include Arizona, Arkansas, California, Colorado, Delaware, Iowa, Louisiana, Maryland, Nebraska, New Mexico, New York, North Carolina, Oregon, South Dakota, Vermont, Washington D.C., Wisconsin and Wyoming.
Biometric data increasingly is becoming a special category of information within the United States, subject to unique requirements and evolving definitions. Even for companies not operating within state jurisdictions that separately regulate biometric data, careful consideration should be given to ensure this type of information is properly identified (or easily identifiable and segregated in the future) within an organization. Similarly, organizations should consider how their business uses may be impacted in the event of increased requirements or restrictions in relation to biometric data collection, use, retention and security.
1 740 ILCS 14/5(c)-(g)
2 740 ILCS 14/15(a)
3 740 ILCS 14/10
6 740 ILCS 14/15(b)(1)-(2)
7 740 ILCS 14/15 (b)(3)
8 740 ILCS 14/15 (e)(1)-(2)
9 740 ILCS 14/20(1)
10 740 ILCS 14/20(2)
11 740 ILCS 14/20(3)
12 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
13 Tex. Bus. & Com. Code § 503.001(a)
14 Tex. Bus. & Com. Code § 503.001(b)
15 Tex. Bus. & Com. Code § 503.001(c)(1)
16 Tex. Bus. & Com. Code § 503.001(d)
17 Wash. Rev. Code Ann. § 19.375.020