Biometric data includes information relating to a person’s unique physical characteristics, such as fingerprints, palmprints, voiceprints, and facial, retinal, or iris scans. Biometric privacy laws aim to protect individuals from the unauthorized collection, use, and disclosure of this sensitive data, and while these laws vary to some degree, they generally require organizations to obtain informed consent before collecting biometric data, limit the use of biometric data to specific purposes, and require secure storage and disposal of biometric data.
The growing patchwork of legislation
Currently, three states in the U.S. have legislation in effect to regulate private entities’ collection and use of biometric information: Illinois, Texas, and Washington—with more expected to follow. So far, the 2023 legislative season has seen a total of ten states propose biometric privacy bills. While Mississippi’s proposal died in committee, Arizona, Hawaii, Maryland, Massachusetts, Missouri, Minnesota, New York, Tennessee, and Vermont are still considering legislation, meaning companies that process biometric information should ensure their privacy practices around this data are up to snuff. Additionally, Illinois is considering a number of bills to amend its existing law.
IL BIPA: The gold standard
Illinois’ Biometric Information Privacy Act was enacted in 2008, and since that time has been the basis for many class-action lawsuits. It is currently the high bar for biometric privacy law in the U.S. due mainly to its inclusion of the private right of action, and many of the 2023 legislative proposals mimic it. According to Courthouse News Service, 213 BIPA cases were filed in 2018 and 2019 alone, some of which resulted in hundreds of millions of dollars in damages.
While BIPA’s private right of action is highly controversial, the high-profile settlements resulting from the law indicate it may be an effective deterrent for misusing biometric information. Persons “aggrieved by a violation” of BIPA can sue for statutory remedies, including the greater of actual or liquidated damages of $1,000 USD for negligent violations, or $5,000 USD for intentional or reckless violations. As more litigation involving BIPA occurs, we learn more about its scope and application.
In the Rosenbach v. Six Flags case, the Illinois Supreme Court clarified that no actual harm is required for standing to assert a claim under BIPA, and that the law creates a right to control one’s own biometric information. In the case, the plaintiffs argued that the amusement park processed fingerprints as part of entry without fair notice, consent, or a written policy. The amusement park argued it had captured the thumbprints of season pass holders to facilitate entry into the park while limiting losses from unauthorized use by non-pass-holders. The case was eventually settled for the plaintiffs with 1.1 million class members sharing $36 million USD.
More recently, BIPA had its first– ever case go to trial. This time a federal jury decided against BNSF Railway, operator of one of the largest freight railroad networks in North America, resulting in a groundbreaking $228 million USD judgment. The court found that BNSF unlawfully scanned more than 44,000 truck drivers’ fingerprints for identity verification purposes without written, informed permission or notice when the individuals entered BNSF’s rail yards. Notably, the fingerprint scans were conducted by a service provider for the railroad, but BSNF remained on the hook for the processing.
The latest BIPA decision by the Illinois Supreme Court should have any company processing biometric information stand up and pay attention. The court ruled that BIPA claims accrue each time data is unlawfully collected and disclosed, rather than just the initial collection, as previously charged. This ruling significantly expands the exposure for BIPA defendants, easily changing million-dollar settlements into billion-dollar settlements.
Changes to BIPA may be on the horizon. The Illinois House is currently considering five amendments: HB1230 (healthcare exemption), HB3204 (one-year statute of limitations), HB3199 (right to cure), HB2259 (security exemption), and HB2252 (comprehensive reform). All amendments are currently scheduled for a March 8 hearing. While BIPA has seen proposed amendments in the past, recent decisions may impact how the legislature views the law. The legislature has until mid-May to consider the changes.
What companies can do
Despite these headline-grabbing judgments, many companies remain in the dark when it comes to understanding the requirements around processing biometric data—or what constitutes biometric information.
So where should you start?
Determine whether you collect biometric data.
Companies should audit their data collection and that of their service providers to understand what data is collected and how it’s used.
Understand what laws you are subject to.
The application of privacy laws differs from one to the next; it could be based on the location of the data processing, the residence of the data subject, or another qualifier. Also, some laws apply to employees, consumers, or both, so knowing from whom you are collecting biometric information is also important.
Make sure your notification and consent obligations are met.
If you or your service providers do collect biometric information, make sure you are properly disclosing that and obtaining consent to collect and process it.
As companies increasingly adopt technologies that involve the collection and use of biometric data—especially as it relates to verification methods or authentication — it’s important to consider how business may be impacted by increased requirements. BIPA is the clearest and most ardent protector of biometric data, and copycat legislation could mean increased risk for your organization in the near future.