Biometric Privacy Laws – What Businesses Need to Know about BIPA

Businesses are increasingly using biometrics to identify and provide services to their customers and employees.  For example, using fingerprint-based time systems ensures the accuracy of employee work hours while preventing practices such a buddy punching.  In addition, businesses can use fingerprint, voice id, or facial recognition technologies to secure access for its employees and customers.

While adopting these technologies can offer businesses significant efficiencies and improved accuracy, they may also unknowingly create significant risk for multimillion-dollar liability.  A number of states have enacted biometric privacy laws – including protections for biometric information in the recently enacted California Consumer Protection Act (CCPA).  The largest source of risk at this time, however, is the Illinois Biometric Information Privacy Act (BIPA).  With its private right of action and hefty statutory damages (up to $5,000 per violation), businesses are increasingly facing multimillion-dollar settlements for failing to comply with BIPA’s compliance requirements.

What is biometric information?

Biometric information is any data based upon a biometric identifier (a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) that is used to identify an individual.  Notably, the definition of biometric information is broad in two respects.

First, any such data fits within the definition of a biometric identifier regardless of how its captured.  This means that even gathering publicly available information about an individual (e.g., by taking pictures of an individual in public, or even a publicly available photograph) can still implicate the statute.

Second, BIPA applies to biometric information regardless of how it is converted or stored.  Therefore, data that is hashed or processed in a way that eliminates the risk of harm is nonetheless protected biometric information if it is derived from a biometric identifier.  For instance, most fingerprint technology reduces a fingerprint scan to a mathematical algorithm, rather than saving an image of the individual’s fingerprint.  This derived algorithm cannot then be reversed engineered to create a fingerprint, or otherwise provide the ability to compromise the individual’s security.  This is significant in litigation matters because even when a defendant can show that a plaintiff has not been exposed to the risk of harm due to hashing or processing of data, the plaintiff can generally still assert a claim for statutory damages.

Examples of biometric identifiers from recent lawsuits include:

  • Timekeeping systems: The most common source of litigations, businesses have increasingly turned to fingerprint-based timekeeping or POS systems. Each time an employee clocks in or out of the system can give rise to a $1,000-$5,000 statutory violation.
  • Customer identity verification: A theme park using fingerprint validation for season ticket holders and a locker rental system found themselves subject to BIPA class actions.
  • Facial Recognition: Facebook and Shutterfly have found themselves subject to numerous class action lawsuits regarding facial recognition “friend tagging” products.
  • Avatar Creation: A video game developer found itself subject to a BIPA class action after it introduced a feature allowing players to undergo a scan to be able to use their likeness as a player.
Am I prohibited from collecting biometric information?

No.  BIPA and other biometric privacy laws do not generally prohibit the collection of biometric information.  Rather, the statute imposes certain obligations on businesses that possess biometric information including:

  •  creating a publicly-available written policy about its biometric data practices
  • providing a written disclosure to any individual from whom biometric information is collected, before the collection occurs,
  • prohibiting the sale of biometric information, and
  • using a commercial standard of care for storing, transmitting, and protecting biometric information from disclosure.
What must I do before collecting biometric information?

First, a business must ensure that it has a written policy in place that covers topics such as a retention schedule and guidelines for permanently destroying biometric information when it is no longer need for the purpose for which it was initially collected.  Implementing a written policy should be a thoughtful exercise in which the business evaluates the purposes for which the information is collected, its data security obligations, and the extent that the information may be shared with vendors or service partners.  Because the policy must be made publicly available, a business is at heightened risks for claims that it has failed to honor terms of the policy.

Second, a business must prepare a written notice that will be provided to any individual from whom biometric information is collected.  The notice must specifically provide that biometric information is being collected, provide the purpose for which the information is being collected, and describe the length of time that the biometric information will be collected, stored, and used.  The business then must obtain a written release from the individual authorizing the collection and use of their biometric information.

What are my ongoing obligations for biometric information?

A business must ensure that it has taken appropriate steps to ensure the security of biometric information.  In addition, it should consistently reevaluate the need to continue to retain stored biometric information, and ensure that this data is consistently deleted when it is no longer needed.

Am I allowed to share biometric information?

Generally speaking, a business may not disclose biometric information to any third party without the subject’s express permission.  Typically, a properly worded point-of-collection disclosure and acknowledgment should identify service providers and vendors with whom the biometric identifier may be shared (e.g., a timekeeping/POS platform).  Any sharing of biometric information should be restricted to those instances that are in furtherance of services provided by the business to the consumer, as sharing for other purposes risks being found to be the improper selling of biometric information.

What are the penalties for violating BIPA?

BIPA provides for a baseline statutory damage of $1,000 for each violation of the statute, with the statutory damage increasing to $5,000 for each intentional or reckless violation.  As recent litigation has demonstrated, BIPA claims are ripe for class treatment, where individual statutory damages awards quickly combine into risk exposure in the millions.

Want to learn more? View our recent webinar for more information on BIPA and other laws impacting the use of biometric data.