Biometric Privacy Laws and Business – What Businesses Need to Know about Federal and State Laws
Businesses are increasingly using biometrics to identify and provide services to their customers and employees. For example, using fingerprint-based time systems ensures the accuracy of employee work hours while preventing practices such as buddy punching. In addition, businesses can use fingerprint, voice id, or facial recognition technologies to secure access for their employees and customers.
While adopting these technologies can offer businesses significant efficiencies and improved accuracy, they may also unknowingly create significant risk for multimillion dollar liability. A number of states have enacted biometric privacy laws – including protections for biometric information in the California Consumer Protection Act (CCPA) and other recently enacted state privacy laws. The largest source of risk at this time, however, is the Illinois Biometric Information Privacy Act (BIPA). With its private right of action and hefty statutory damages (up to $5,000 per violation), businesses are increasingly facing multimillion dollar settlements for failing to comply with BIPA’s compliance requirements.
What is biometric information?
Biometric information is any data based upon a biometric identifier (a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) that is used to identify an individual. Notably, BIPA’s definition of biometric information is broad in two respects.
First, any such data fits within the definition of a biometric identifier regardless of how its captured. This means that even gathering publicly available information about an individual (e.g., by taking pictures of an individual in public, or obtaining a publicly available photograph) can still implicate the statute.
Second, BIPA applies to biometric information regardless of how it is converted or stored. Therefore, data that is hashed or processed in a way that eliminates the risk of harm is nonetheless protected biometric information if it is derived from a biometric identifier. For instance, most fingerprint technology reduces a fingerprint scan to a mathematical algorithm, rather than saving an image of the individual’s fingerprint. This derived algorithm cannot then be reverse engineered to create a fingerprint or otherwise provide the ability to compromise the individual’s security. This is significant in litigation matters because even when a defendant can show that a plaintiff has not been exposed to the risk of harm due to hashing or processing of data, the plaintiff can generally still assert a claim for statutory damages.
Examples of biometric identifiers from recent lawsuits include:
- Timekeeping systems: The most common source of litigations, businesses have increasingly turned to fingerprint-based timekeeping or POS systems. Each time an employee clocks in or out of the system can give rise to a $1,000-$5,000 statutory violation.
- Customer identity verification: A theme park using fingerprint validation for season ticket holders and a locker rental system found themselves subject to BIPA class actions.
- Facial Recognition: Facebook and Shutterfly have found themselves subject to numerous class action lawsuits regarding facial recognition “friend tagging” products.
- Avatar Creation: A video game developer found itself subject to a BIPA class action after it introduced a feature allowing players to undergo a scan to be able to use their likeness as a player.
Am I prohibited from collecting biometric information?
No. BIPA and other biometric privacy laws do not generally prohibit the collection of biometric information. Rather, the statute imposes certain obligations on businesses that possess biometric information including:
- creating a publicly available written policy about its biometric data practices,
- providing written disclosure to any individual from whom biometric information is collected before the collection occurs,
- prohibiting the sale of biometric information, and
- using a commercial standard of care for storing, transmitting, and protecting biometric information from disclosure.
What must I do before collecting biometric information?
First, a business must ensure that it has a written policy in place that includes both a retention schedule and guidelines for permanently destroying biometric information when it is no longer need for the purpose for which it was initially collected. Implementing a written policy should be a thoughtful exercise in which the business evaluates the purposes for which the information is collected, its data security obligations, and the extent that the information may be shared with vendors or service partners. Because the policy must be made publicly available, a business is at heightened risk for claims that it has failed to honor terms of the policy.
Second, a business must prepare a written notice that will be provided to any individual from whom biometric information is collected. The notice must specifically provide that biometric information is being collected, provide the purpose for which the information is being collected, and describe the length of time that the biometric information will be collected, stored, and used. The business then must obtain a written release from the individual authorizing the collection and use of their biometric information.
What are my ongoing obligations for biometric information?
A business must take appropriate steps to ensure the security of biometric information. In addition, it should consistently reevaluate the need for continued retention of stored biometric information, and ensure that this data is consistently deleted when it is no longer needed.
Am I allowed to share biometric information?
Generally speaking, a business may not disclose biometric information to any third party without the subject’s express permission. Typically, a properly worded point-of-collection disclosure and acknowledgment should identify service providers and vendors with whom the biometric identifier may be shared (e.g., a timekeeping/POS platform). Any sharing of biometric information should be restricted to those instances that are in furtherance of services provided by the business to the consumer, as sharing for other purposes risks being found to be the improper selling of biometric information.
What are the penalties for violating BIPA?
BIPA provides individual plaintiffs a baseline statutory damage of $1,000 for each violation, with the statutory damage increasing to $5,000 for each intentional or reckless violation. As recent litigation has demonstrated, BIPA claims are ripe for class treatment, where individual statutory damages awards quickly combine into enormous risk exposure. The extent of BIPA risk has been on full display over the past two years: Facebook settled a BIPA class action over its photo-tagging software for a record $650 million, while Google and TikTok settled for $100 million and $92 million, respectively.
Other State Biometric Privacy Laws
Outside of Illinois, only Texas and Washington have comprehensive laws governing biometric privacy. California’s Consumer Privacy Act (CCPA) also covers the protection of biometric data and provides a limited private right of action.
Although the Texas Capture and Use of Biometric Identifier Act (CUBI) has been in effect since 2009, it had not been used in an enforcement action until March 2022 when the Texas Attorney General filed suit against Meta (parent of Facebook) alleging that the company violated CUBI by collecting biometric information from Texas residents without their consent through photos uploaded to Facebook. CUBI is similar to BIPA in that it prohibits the collection and transmission of biometric identifiers without a person’s consent and places retention and destruction obligations on entities in possession of biometric identifiers. CUBI is also more forgiving than BIPA, as it only covers the “capture” of biometric identifiers, while BIPA covers a broader scope of information, including anything “based on” an individual’s biometric identifier. Unlike BIPA, CUBI does not require that consent is written form, nor does it include a private right of action.
Washington became the third state to enact a biometric privacy law when it passed H.B. 1493 in 2017. Although H.B. 1493 contains data security and retention requirements that are similar to CUBI and BIPA, Washington’s statute is less burdensome for businesses. Like CUBI, H.B. 1493 does not create a private right of action and is instead enforced by the Washington Attorney General. H.B. 1493 is narrower than BIPA and CUBI in that its definition of a biometric identifier does not include facial recognition data and explicitly excludes physical or digital photographs, videos, or audio recordings. Additionally, unlike BIPA and CUBI, Washington’s statute does not broadly regulate the “capture” of biometrics and is instead limited to entities that “enroll” biometric identifiers by capturing data and storing it in a database that matches the biometric identifier to a specific individual. H.B. 1493 is also currently unique among state biometric privacy laws in that it contains a broad security exception for biometric identifiers used in furtherance of a “security purpose.”
The CCPA explicitly includes biometric data in its definition of personal information, which is covered by the Act. Because biometric data is broadly defined under the statute, companies that engage in collection or use of a California resident’s biometric data are likely to fall under the CCPA’s scope and must satisfy the myriad of compliance requirements imposed by the statute. However, the CCPA differs from BIPA in that its private right of action is limited and narrower. Consumers can pursue individual or class litigation if their personal data is impacted and the entity is found to have violated its duty to maintain reasonable security measures. Consumers can recover between $100 and $750 in statutory damages per incident.
Companies should be prepared for the possibility of additional states adopting laws governing the collection, use, and processing of biometric information. Legislatures in California, Kentucky, Maine, Maryland, Massachusetts, Missouri, and New York have all proposed new biometric privacy laws this year. BIPA and similar state laws also appear to be safe from the risk of federal preemption. The current draft of the American Data Privacy and Protection Act (ADPPA) explicitly clarifies that BIPA and similar laws would not be invalidated if the federal data privacy law is passed.
Originally published on May 11, 2020.
Updated September 20, 2022
A Partner at M&S, Chris advises clients on telemarketing and privacy matters, helping them develop proactive compliance programs and successfully defending them in government enforcement actions, litigation, and class action lawsuits.