As retailers get back to business in the United States, the laws implicating biometrics and the increase in use cases for biometric technologies have caused these businesses to refocus their data collection points. One such use case that merits special attention, specifically in the context of reopening businesses after COVID-19 precautionary closures, is the information collected via security footage (also receiving attention as a result of recent protests). This article discusses whether data collection via security footage possibly qualifies as "biometric identifiers" or "biometric information" under various state laws that implicate the topic, and whether notice and consent are necessary to collect and use that footage.
Notice and consent under biometric data privacy laws
To use surveillance cameras and the related security footage, businesses must be mindful of state-specific biometric data regulations, which may require notice to and consent by the individual(s) being monitored or recorded.
One prominent example is the Illinois Biometric Information Privacy Act (BIPA), which is among the most comprehensive state biometric privacy laws. BIPA sets forth two regulated categories of biometric data: biometric identifiers and biometric information. Under BIPA, biometric identifiers include scans of hand or face geometry, retina or iris scans, fingerprints, or voiceprints. Biometric information includes any information based on a biometric identifier used to identify an individual. In the event security footage captures such biometric data, the collecting businesses may not collect, capture, purchase, receive through trade, or otherwise obtain such biometric data without first providing individuals written notice that their biometric data is being collected or stored and the purpose and duration for such use (740 Ill. Comp. Stat. 14/15(b)(1)-(2)). Further, such business must also receive a signed written release of the individual that allows for the collection of their biometric data. Id. at Section 14/15(b)(3).
Washington and Texas similarly require some form of notice and consent for biometric data collection. Under Washington's law, a business cannot enroll an individual's biometric identifier into a database without first providing notice (which must be reasonable under the circumstances), obtaining consent, or providing a mechanism to prevent the subsequent use of the biometric identifier (Rev. Code Wash. (ARCW) Section 19.375.020(1)). The law does not specify the type of notice and consent required in any given circumstance, but rather provides that "[t]he exact notice and type of consent required to achieve compliance ... is context-dependent." (Rev. Code Wash. (ARCW) Section 19.375.020(2)). Washington's statute may implicate security footage in a particular way (if such footage or the characteristics of subjects derived from it qualified as biometric data) as – unlike BIPA – it allows for an exception to unauthorized disclosure of biometric data to "protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability" which could arguably speak to the purpose of security footage (Rev. Code Wash. (ARCW) Section 19.375.020(4)).
Under Texas's law, a business may not "capture a biometric identifier of an individual" unless it first provides notice and obtains consent by "inform[ing] the individual before capturing the biometric identifier" and "receiv[ing] the individual's consent to capture the biometric identifier." (Tex. Bus. & Com. Code Ann. Section 503.001(b)(1), (2)). Although neither the Washington law nor the Texas law specifically require that the form of consent be in writing, documenting any such consent is best practice.
The good news for retailers with security cameras is that the Washington and Texas laws apply only if biometric data is collected for a commercial purpose. While the Texas law does not define "commercial purpose," the Washington law defines it as a purpose in furtherance of the sale or disclosure to a third party for marketing goods or services that are unrelated to the initial transaction in which the person obtained the biometric identifier. (Rev. Code Wash. (ARCW) Section 19.375.010(4)). Given the combination of the "commercial purpose" requirement and the "security threat" prevention exception in Washington, it is possible that some security footage would not fall in-scope of the law. Nonetheless, in the event a business decides to use security footage for a commercial purpose, the business must consider the necessary safeguards needed for compliance based on the capabilities of the technology used and the locations where it is deployed.
Like BIPA and the Texas and Washington laws, the California Consumer Privacy Act (CCPA) also regulates the collection of biometric information by certain businesses. However, it defines the term more broadly and does not draw distinctions between "identifiers" and "information." Biometric information is defined by the CCPA as any single physiological, biological, or behavioral characteristic, or combination thereof, that can be used to establish an individual's identity, and is included in the CCPA's definition of "personal information." (Cal. Civ. Code Section 1798.140(o)(1)(E)). The CCPA specifically provides examples of what may constitute biometric information, including, but not limited to, imagery of an individual's iris, retina, face, hand, and palm from which an identifier template can be extracted. Biometric information may also extend to an individual's voice recordings. Therefore, depending on the level of detail and ability to identify subjects that a CCPA-covered business's surveillance system is able to capture, it is possible that the biometric information obtained from it is protected under the CCPA. If so, a business that collects a consumer's biometric information must, at or before the point of collection, inform the consumer that the biometric information is being collected and the purposes for which such biometric information will be used.
BIPA and the CCPA – unlike the Washington and Texas laws – both provide a private right of action that may be implicated in the collection of biometric data. Under BIPA, a private right of actions exists for any person "aggrieved" by a violation of the statute. See 740 Ill. Comp. Stat. 14/20. In early 2019, the Illinois Supreme Court clarified that BIPA plaintiffs need not plead an actual injury in order to be "aggrieved" such that they have private right of action, thereby resulting in a flurry of class action litigation under the statute. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019). The private right of action under the CCPA is much more limited and narrow in scope than that of BIPA, but nonetheless presents a litigation risk. Under the CCPA, an individual must instead show that his or her unencrypted or nonredacted personal information (as defined by the statute) was accessed, exfiltrated, stolen, or disclosed, without authorization by such individual, as a result of a business's failure to maintain reasonable security procedures and practices. (Cal. Civ. Code Section 1798.150(a)(1).
Moving forward safely and in compliance
It is natural for businesses to be concerned about the security of their premises and to explore new technologies that can help mitigate health and safety risks related to that security. However, in an era of ever-increasing privacy concerns, setting up high-tech surveillance cameras is not as simple as it may have once been. Rather, as biometric privacy regulations continue to be passed and revised, businesses must be aware of the possible notice and consent requirements, such as those under current laws described above, and an increasing trend in proposed biometric legislation that is likely to continue to grow. In fact, there is now a generally heightened attention on biometric data collection as a result of COVID-19, and the pandemic alone may be the root of additional biometric legislation by which businesses may need to abide.
Originally published 01 July, 2020
This article is presented for informational purposes only and is not intended to constitute legal advice.
