Biometric privacy continues to be a hot-button topic in the United States, with more states contemplating the adoption of biometric data protection laws. In an effort to avoid costly litigation as the country continues to reopen following the COVID-19 pandemic, businesses should be mindful of the potential risks when implementing biometric policies and procedures.
What Is Biometric Data and How Is It Used?
Generally, biometric data consists of physical characteristics that can be used to digitally identify a person. Physiological biometrics pertain to the body and include DNA, retinal scans, fingerprints or other characteristics such as the shape of a person's hand or face or the sound of their voice. Due in large part to its increased practicality and affordability, businesses have gradually begun to utilize biometric technology for various beneficial purposes, such as implementing biometric time clocks to prevent "buddy punching," facilitate consumer transactions, and for restricting access to secure areas.
Current Biometric Privacy Laws
Standalone biometric privacy laws have currently been adopted in three states: Illinois, Texas and Washington. Among those three states, only Illinois' Biometric and Information Privacy Act (BIPA, 740 ILCS 14/) provides for a private right of action, which has made it very attractive to the plaintiffs' bar. Despite its enactment in 2008, the Illinois BIPA only came to the forefront in 2015, and has turned into a plaintiffs' buffet in recent years. In fact, between 2015 and 2020 alone, there were over 1,000 class action complaints filed across the United States alleging violation of the Illinois statute. As discussed below, other states are now introducing legislation nearly identical to the Illinois BIPA, so it is important to understand and address key aspects of the Act to ensure compliance.
The Illinois BIPA was enacted as a reaction to the increased use of biometric technology due to the sensitive nature of biometric identifiers and associated data. The Act regulates the collection, capture, and storage of "biometric identifiers," such as fingerprints, voiceprints, retina/iris scans, and scans of hand or face geometry. The Illinois BIPA provides a private right of action and allows plaintiffs to recover liquidated damages and attorneys' fees. Specifically, the Act provides that "[a]ny person aggrieved by a violation" can recover "liquidated damages of $1,000 or actual damages, whichever is greater" for negligent violations, and "liquidated damages of $5,000 or actual damages, whichever is greater" for intentional or reckless violations.
Courts interpreting the statute have concluded that claimants need not sustain actual damages in order to qualify as a "person aggrieved" under the Act. In Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, the Illinois Supreme Court held that a person does not need to allege any actual injury or adverse effect, beyond technical violations of the statute in order to state a claim. Further pursuit of these lawsuits became more attractive following the Rosenbach decision, partly due to its holding that a "violation [of the BIPA], in itself, is sufficient to support the individual's or customer's statutory cause of action." Id. at ¶ 33.
Despite this expansive interpretation of biometric privacy laws, the Illinois statute provides guidance on how businesses can mitigate their exposure by adopting policies which: (1) first and foremost, informs individuals in writing that his or her biometric data is being captured; (2) outlines the purpose and period of time for which the data will be utilized; and (3) receives a written release from individuals consenting to the collection. The Illinois statute also includes regulations requiring a compliant, publically-available written policy, prohibits disclosure of biometric data to third-parties absent consent, and mandates a "standard of care" that businesses must adhere to in protecting biometric data.
Special Concerns During COVID-19
As businesses adjust to the new "norms" following COVID-19, they will likely explore policies and procedures that aim to minimize consumer interaction and protect its invitees and customers from potential exposure to the virus. One solution is the implementation of contactless infrared facial scanning to verify an employee or invitee's temperature. The use of contactless infrared facial scanning raises potential issues under biometric privacy laws if it collects and captures a person's facial geometry without consent. Thus, even as businesses adopt technologies with the best of intentions to protect the health and safety of those who work within or visit their facilities, it will be important to understand the scope of biometric privacy laws in the states where these policies are implemented and ensure that proper steps are taken in terms of continuing compliance What's Next? On January 6, 2021, the New York state legislature introduced a standalone biometric information privacy bill, AB 27, which is a carbon copy of the Illinois BIPA. If passed, it would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs' attorneys' fees for successful litigants.
Hot on New York's heels, and just a week after the introduction of AB 27, Maryland introduced its own standalone biometric privacy bill on January 13, 2021 (House Bill 218) called the "Commercial Law – Consumer Protection – Biometric Identifiers and Biometric Information Privacy." While substantially similar to both Illinois' BIPA and New York's proposed legislation, Maryland's bill in its current form differs in a couple of respects. For example, the definition of "biometric identifiers" is arguably even broader, extending to "data of an individual generated by automatic measurements of that individual's biological characteristics such as fingerprint, voiceprint, genetic print, retina or iris image, or any other unique biological characteristic that can be used to uniquely authenticate the individual's identity." Moreover, the proposed legislation also clarifies that the broader definition of "biometric information," which includes "any information regardless of how it is captured, converted, stored, or shared based on an individual's biometric identifier used to identify an individual," does not include "information derived from an item or a procedure excluded under the definition of a biometric identifier," such as photographs or information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under HIPAA. The proposed Maryland legislation also clarifies that a policy regarding retention/destruction of biometrics need not be made "publicly available" if the policy "applies only to the employees of the private entity," and "is used solely for internal company operations."
Best Practices for Compliance
In short, as businesses contemplate the use of biometric technology to navigate their way through COVID, and beyond, it is important that they understand and comply with biometric privacy laws in each state where they are operating. This should extend to the adoption of practices and policies relating to the collection, storage, and retention of biometric information, as well as avoiding or disabling technologies that unnecessarily collect such data to ensure continuing compliance with governing state statutes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
