Biometric Laws and Business

Biometric Privacy Laws: What Businesses Need to Know Right Now

Businesses are increasingly using biometrics to identify and provide services to their customers and employees. For example, using fingerprint-based time systems ensures the accuracy of employee work hours while preventing practices such as buddy punching. In addition, businesses can use fingerprint, voice id, or facial recognition technologies to secure access for their employees and customers.

While adopting these technologies can offer businesses significant efficiencies and improved accuracy, they may also unknowingly create significant risk for multimillion dollar liability. A number of states have enacted biometric privacy laws – including protections for biometric information in the California Consumer Protection Act (CCPA) and other recently enacted state privacy laws. The largest source of risk at this time, however, is the Illinois Biometric Information Privacy Act (BIPA). With its private right of action and hefty statutory damages (up to $5,000 per violation), businesses are increasingly facing multimillion dollar settlements for failing to comply with BIPA’s compliance requirements.

What is biometric information?

Biometric information is any data based upon a biometric identifier (a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) that is used to identify an individual. Notably, BIPA’s definition of biometric information is broad in two respects.

First, any such data fits within the definition of a biometric identifier regardless of how its captured. This means that even gathering publicly available information about an individual (e.g., by taking pictures of an individual in public, or obtaining a publicly available photograph) can still implicate the statute.

Second, BIPA applies to biometric information regardless of how it is converted or stored. Therefore, data that is hashed or processed in a way that eliminates the risk of harm is nonetheless protected biometric information if it is derived from a biometric identifier. For instance, most fingerprint technology reduces a fingerprint scan to a mathematical algorithm, rather than saving an image of the individual’s fingerprint. This derived algorithm cannot then be reverse engineered to create a fingerprint or otherwise provide the ability to compromise the individual’s security. This is significant in litigation matters because even when a defendant can show that a plaintiff has not been exposed to the risk of harm due to hashing or processing of data, the plaintiff can generally still assert a claim for statutory damages.

Examples of biometric identifiers from recent lawsuits include:
  • Timekeeping systems: The most common source of litigations, businesses have increasingly turned to fingerprint-based timekeeping or POS systems. Each time an employee clocks in or out of the system can give rise to a $1,000-$5,000 statutory violation.
  • Customer identity verification: A theme park using fingerprint validation for season ticket holders and a locker rental system found themselves subject to BIPA class actions.
  • Facial Recognition: Facebook and Shutterfly have found themselves subject to numerous class action lawsuits regarding facial recognition “friend tagging” products.
  • Avatar Creation: A video game developer found itself subject to a BIPA class action after it introduced a feature allowing players to undergo a scan to be able to use their likeness as a player.
Am I prohibited from collecting biometric information?

No. BIPA and other biometric privacy laws do not generally prohibit the collection of biometric information. Rather, the statute imposes certain obligations on businesses that possess biometric information including:

  • creating a publicly available written policy about its biometric data practices,
  • providing written disclosure to any individual from whom biometric information is collected before the collection occurs,
  • prohibiting the sale of biometric information, and
  • using a commercial standard of care for storing, transmitting, and protecting biometric information from disclosure.
What must I do before collecting biometric information?

First, a business must ensure that it has a written policy in place that includes both a retention schedule and guidelines for permanently destroying biometric information when it is no longer needed for the purpose for which it was initially collected or within three years of an individual’s last interaction with the business, whichever is earlier. Implementing a written policy should be a thoughtful exercise in which the business evaluates the purposes for which the information is collected, its data security obligations, and the extent that the information may be shared with vendors or service partners. Because the policy must be made publicly available, a business is at heightened risk for claims that it has failed to honor terms of the policy.

Second, a business must prepare a written notice that will be provided to any individual from whom biometric information is collected. The notice must specifically provide that biometric information is being collected, provide the purpose for which the information is being collected, and describe the length of time that the biometric information will be collected, stored, and used. The business then must obtain a written release from the individual authorizing the collection and use of their biometric information.

What are my ongoing obligations for biometric information?

A business must take appropriate steps to ensure the security of biometric information. In addition, it should consistently reevaluate the need for continued retention of stored biometric information and ensure that this data is consistently deleted when it is no longer needed or three years have passed since the individual’s last interaction with the business, whichever is earlier.

Am I allowed to share biometric information?

Generally speaking, a business may not disclose biometric information to any third party, including a service provider, without the individual’s express permission. Typically, a properly worded point-of-collection disclosure and acknowledgment should identify service providers and vendors with whom the biometric identifier may be shared (e.g., a timekeeping/POS platform). Any sharing of biometric information should be restricted to those instances that are in furtherance of services provided by the business to the consumer, as sharing for other purposes risks being found to be the improper selling of biometric information.

What are the penalties for violating BIPA?

BIPA provides individual plaintiffs a baseline statutory damage of $1,000 for each violation, with the statutory damage increasing to $5,000 for each intentional or reckless violation. As recent litigation has demonstrated, BIPA claims are ripe for class treatment, where individual statutory damages awards quickly combine into enormous risk exposure. The extent of BIPA risk has been on full display over the past two years: Facebook settled a BIPA class action over its photo-tagging software for a record $650 million, while Google and TikTok settled for $100 million and $92 million, respectively.

Other State Biometric Privacy Laws

Outside of Illinois, only Texas and Washington have comprehensive laws governing biometric privacy.

Texas
Although the Texas Capture and Use of Biometric Identifier Act (CUBI) has been in effect since 2009, it had not been used in an enforcement action until March 2022 when the Texas Attorney General filed suit against Meta (parent of Facebook) alleging that the company violated CUBI by collecting biometric information from Texas residents without their consent through photos uploaded to Facebook. CUBI is similar to BIPA in that it prohibits the collection and transmission of biometric identifiers without a person’s consent and places retention and destruction obligations on entities in possession of biometric identifiers. CUBI is also more forgiving than BIPA, as it only covers the “capture” of biometric identifiers, while BIPA covers a broader scope of information, including anything “based on” an individual’s biometric identifier. Unlike BIPA, CUBI does not require that consent is written form, nor does it include a private right of action. CUBI provides for civil penalties of up to $25,000 per violation.

Washington
Washington became the third state to enact a biometric privacy law in 2017. Although the Washington Biometric Law (WBL) contains data security and retention requirements that are similar to CUBI and BIPA, the WBL is less burdensome for businesses. Like CUBI, the WBL does not create a private right of action and is instead enforced by the Washington Attorney General. The WBL is narrower than BIPA in that it only applies to biometric identifiers collected or used for commercial purposes.

Additionally, unlike BIPA and CUBI, the WBL does not broadly regulate the “capture” of biometrics and is instead limited to entities that “enroll” biometric identifiers by capturing data and storing it in a database that matches the biometric identifier to a specific individual. The WBL is also currently unique among state biometric privacy laws in that it contains a broad security exception for biometric identifiers used in furtherance of a “security purpose.” Civil penalties for violations of the WBL can be up to $7,500 per violation.

Other Laws Impacting Biometric Data

Although only 3 states have enacted laws specifically governing biometric data, other privacy laws and regulatory policies also impact biometric data handling, and wield their own significant influence in enforcement matters.

Comprehensive State Privacy Laws
Comprehensive privacy laws, which regulate the collection, use and disclosure of personal information, explicitly include biometric data in the definition of personal information. Because biometric data is broadly defined under these statutes, companies that meet the applicability threshold and engage in collection or use of biometric data concerning residents of states with a comprehensive privacy law must satisfy the myriad of compliance requirements imposed by these statutes.

The CCPA differs from BIPA in that it grants consumers a limited and narrower private right of action if their personal data is impacted and the entity is found to have violated its duty to maintain reasonable security measures. Consumers can recover between $100 and $750 in statutory damages per incident. With exception for the CCPA’s limited private right of action, comprehensive state privacy laws are enforced by a state authority, typically the Attorney General, and provide for civil penalties ranging from $7,500 to $25,000 per violation.

The Colorado Privacy Act (CPA) was amended to include specific protections, restrictions, and requirements for biometric data. Businesses are subject to the biometric data rules if they (1) process or control any amount of biometric data or (2) meet the CPA’s general applicability thresholds. Businesses must obtain the consumer’s informed consent before collecting or processing biometric identifiers, adopt a written policy for biometric data retention and security, and are prohibited from disclosing biometric identifiers in most scenarios, including a ban on the sale, lease, or trade of biometric identifiers. These new biometric data protections are effective in mid-2025. Non-compliance with these rules may result in civil penalties of up to $20,000 per violation.

Consumer Health Data Laws
A few states regulate biometric data through their consumer health data laws. Health data laws have broad applicability and an expansive definition of consumer health data that includes biometric data. These laws have nuanced obligations, such as employee access restrictions, geofencing prohibitions, heightened authorization standards to sell consumer health data, and notice requirements. Importantly, Washington’s consumer health data law provides for civil penalties of up to $7,500 per violation and a private right of action for actual damages, injunctive relief, and attorneys’ fees.

Federal Trade Commission Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act
In a Policy Statement released in May 2023, the Federal Trade Commission committed to fight unfair or deceptive acts and practices related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies. The FTC issued a non-exhaustive list of examples of practices it will scrutinize in determining whether companies collecting and using biometric information or marketing/using biometric information technologies are complying with Section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices.

The list includes:

  • False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information.
  • Deceptive statements about the collection and use of biometric information.
  • Failing to assess foreseeable harms to consumers before collecting biometric information.
  • Failing to promptly address known or foreseeable risks.
  • Engaging in surreptitious and unexpected collection or use of biometric information.
  • Failing to evaluate the practices and capabilities of third parties who can access biometric information.
  • Failing to provide appropriate training for employees and contractors who interact with biometric information.
  • Failing to conduct ongoing monitoring of technologies that the business develops.
  • Offers for sale or uses in connection with biometric information.

State Data Breach Laws
State data breach notification laws in the U.S. vary, but many states have updated their laws to include biometric data as a category of personal information that triggers notification requirements in the event of a breach that also compromises other personal information, such as a first and last name. When a data breach involving biometric data occurs, notices are required to specific parties at certain times. Some states, like New York, also require businesses to develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of biometric data.

Local Ordinances
While state laws are often the primary focus, businesses should not overlook the biometric data ordinances adopted by several U.S. cities. For instance, New York City’s biometric law mandates that any commercial establishment collecting, retaining, converting, storing, or sharing biometric data from customers must place a clear and conspicuous sign near all customer entrances to inform them of its biometric data practices. The law prohibits these entities from selling, leasing, trading, or profiting from biometric data. Enforcement includes a private right of action with statutory damages.

Moving Forward

Businesses should be prepared for the possibility of additional laws governing the collection, use, and processing of biometric information. Federal and state legislatures have proposed various bills addressing biometric privacy, including a comprehensive federal privacy law, of which early drafts protect certain state laws, such as Illinois’ BIPA, from federal preemption. It is crucial for businesses to stay informed and prepared, as noncompliance can lead to significant legal and financial repercussions. Proactively understanding and adhering to these regulations not only helps in avoiding penalties but also builds trust with consumers by demonstrating a commitment to protecting their sensitive information.

___________
Originally published on May 11, 2020.
Updated August 5, 2024

A Partner at M&S, Chris advises clients on telemarketing and privacy matters, helping them develop proactive compliance programs and successfully defending them in government enforcement actions, litigation, and class action lawsuits.

Associate

Aaron works across numerous highly-regulated industries, helping them comply with state and federal laws related to privacy and data security, cannabis, marketing, teleservices, and other consumer protection matters.

1200 800 Chris Wager and Aaron Parry
Share This Post:
Start Typing
Skip to content