Two more states have pending bills seeking to regulate biometric data collection. Illinois, Texas, and Washington currently have active biometric privacy laws but anticipate adding New York and Maryland to that list as these state bills will likely get passed. Biometric data refers to identifiers that are unique to an individual. By now, most people have undoubtedly heard of biometric-based technology and probably use it every day. Some examples are facial recognition for used for cell security, and voice recognition, like activating a home smart device. Behavioral characteristics can also be considered biometric data – like a person’s handwriting or keystrokes.
Currently, biometrics is a common method of identification and way to grant access to devices. As this technology continues to advance, it will become increasingly prevalent and generate more sensitive data. This has sparked privacy concerns since misuse of this information can lead to serious issues like identity theft. Additionally, when biometric data becomes compromised, it will never be completely secure as a method of authentication again which is more damaging than when other types of data is stolen, like a person’s credit card number. You can order a new credit card but you can never change your fingerprints. All of this makes it safe to say that the trend of states enacting biometric privacy laws will continue throughout the nation. It will be interesting to observe how many states allow for a private right of action and what this means for class action activity in the realm of biometric data privacy.
Overview of Current and Proposed State Biometric Privacy Laws
Biometric privacy regulations instruct organizations on how they should handle and safeguard this data. Topics covered include collection, retention, destruction, notice procedures, sale, and data protection. In 2008, Illinois was the first state to pass a law regulating biometric data. This is definitely the strictest of the three active state statutes and the only one which would allow for a private right of action. If the bills pass as proposed, New York and Maryland would join Illinois and allow affected consumers to sue organizations that fail to handle their biometric data according to the rules laid out in the new laws.
These two bills are also very identical to the Illinois statute in several other ways. For example, organizations doing business in Illinois (as well as Maryland and New York if the bills pass) need to implement policies regarding retention of biometric data. This could include timelines for data retention or destruction and guidelines on when it is appropriate to store or discard this information. Other common themes include banning the sale or profit from another person’s biometric data, consumer consent for disclosure, and the emphasis on data protection. While the active biometric privacy laws in Texas and Washington share some overlapping features, the absence of a private right of action and policy requirements are major differences that render these two laws less restrictive.
Class Action Predictions
With two new bills allowing for a private right of action, courts need to be prepared for a wave of class action claims if organizations doing business in Maryland and New York that handle biometric data fail to comply. Illinois courts have already experienced this type of increase activity with a significant rise in class actions based upon improper collection of biometric data. The Illinois Supreme Court opened the floodgates even further in by ruling that there only needed to be a mere violation of individual privacy rights to initiate a class action under the biometric privacy law. Without needing to prove an actual injury from the breach, a lot more people have standing. For example, just the fact that an organization collects fingerprints without consent could be enough, which is what the Illinois Supreme Court ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 was based upon. In Rosenbach v. Six Flags Entertainment Corp, an amusement park faced liability for collecting thumbprints from customers purchasing season passes without informing them or obtaining consent. Think of how many thumbprints the park collected and how much liability is on the table without the need to show actual injuries.
As such, organizations need to prepare for the astronomical monetary implications that biometric privacy class actions can create. The Illinois law and two pending state bills allow $1,000 for each violation and $5,000 if the violations are intentional or reckless. Even smaller class actions have the potential to financially devastate a company, especially if an actual injury is not required to make a claim. These types of cases also have a higher chance of success, since privacy concerns are becoming more prominent both in the states and on a global scale. All of this makes class action certification easier and organizations need to be ready.
There are several best practices for companies doing business in any states allowing for a private right of action to implement, including developing comprehensive biometric data policies, ensuring proper data security around biometric data, providing notice of biometric data collection and intended use purposes, obtaining written consent to disseminate biometric data, and banning the sale of this information. While implementing these practices is especially important for organizations operating in New York and Maryland, it is a prudent idea for other states to start thinking about this as more bills will predictably pop up in the near future, bringing class actions along with them.
Biometrics will be more prevalent as the technology continues to be used more widely and organizations needs to understand their obligations. The first thing to do is monitor any relevant state biometric privacy laws. Remember, an organization does not need to be located in that specific state to be subject to the law. Also check on local ordinances, as there are additional ordinances in cities like Portland, Oregon and New York City that regulate biometric data in a more limited capacity but also allow for a private right of action. Next, organizations handling biometric data should evaluate their practices and make changes more in line with biometric data regulations. A proactive mindset is the best thing to have right now, as more states will undoubtedly introduce bills regulating biometric data privacy over the next few years. If an organization handles this type of data, it is best to take steps to protect it and be transparent. Expect new bills to follow the trend of allowing a private right of action, anticipate class actions for non-compliance, and assume that other states will follow the lax stance of not needing an actual injury to assert standing. It is better to be over-prepared, even if courts veer from what has happened in Illinois, as not being proactive enough can be much more damaging to an organization’s finances and overall reputation.
For more information, please download our whitepaper called Data Breach and Class Action Notification and Administration.