Looking to the future of biometric data privacy laws

8 minute read

A biometric access control panel is seen at the Chilean congress in Valparaiso, Chile May 30, 2018. REUTERS/Rodrigo Garrido

Register now for FREE unlimited access to Reuters.com

April 6, 2022 - Set in the year 2054, Steven Spielberg's 2002 science fiction film, "Minority Report," previews a future in which our personal biometric data — our unique biological characteristics measured in data points — are our personal passports to gain access to everywhere and everything public.

In "Minority Report," Tom Cruise's Chief John Anderton, a former law enforcement officer turned wanted man, needs to break into his own former place of employment in Washington, D.C., to investigate the facts and prove his innocence. However, he faces one practically insurmountable problem: retinal scanners are present in all aspects of life. Chief Anderton cannot escape them, and the only way for him to bypass the ubiquitous retinal scanners is for his eyes literally to be those of another. From birth to death, in this fictional future world, each of us is tracked by computer technology based on our unique physical characteristics.

It is not yet 2054, of course, but biometric authentication — measuring and using unique biological characteristics to authenticate a person's identity — is already commonplace. As a society and as consumers we have a litany of devices that collect and process our biometric information, with the understanding that these data elevate both convenience and security simultaneously. Smart phones, which are miniaturized personal computers, employ biometric security features such as fingerprint scanners, facial identification scanning, and even eye scanners.

Register now for FREE unlimited access to Reuters.com

The deployment of biometric authentication stems from the notion that people don't like to securely record, remember, and use complex passwords, whereas our biometric data are unique, constant, convenient, and secure in authenticating our identity. In other words, it is easier and more secure to place one's thumb on a scanner, or easier yet, just to look at our phones, for example, than to type in a well-designed password to authenticate our identity.

According to the U.S. Department of Homeland Security, "biometrics" is defined as "unique physical characteristics … that can be used for automatic recognition." With technological advancements, biometric information is being collected and processed at every turn, including by employers and other businesses.

Failure to secure and document informed consent to use this uniquely personal (and thus valuable) data has resulted in an astounding wave of litigation in Illinois, which has strongly protected biometric data privacy rights. Illinois' pioneering statute is now being looked at by other states as a possible model as they update their own data privacy and security statutes.

Illinois’ Biometric Information Privacy Act

To safeguard against the unauthorized collection and use of biometric information, Illinois passed the country's first and, to date, most expansive and stringent, consumer data privacy statute protecting biometric data, the Biometric Information Privacy Act (BIPA), 740 Ill Comp. Stat. 14/1 (2008).

BIPA regulates the collection, processing, disclosure, and security of Illinois residents' biometric information. BIPA singles out biometric data as being different from other personally identifiable information because biometric data cannot be changed readily (a point dramatically illustrated in "Minority Report" by the main character's need to get an eye transplant in his quest to prove his innocence):

"Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identify theft, and is likely to withdraw from biometric-facilitated transactions."

BIPA outlines stringent protocols on the capture, conversion, storage, or sharing of "biometric identifiers," which are defined as "retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." Generally, BIPA requires a private entity in possession of biometric identifiers to:

(1) develop a written policy;

(2) inform the owner of the biometric information in writing about the purpose for collecting the information and the length of time it will be stored;

(3) obtain written consent for the collection and storage of the data; and

(4) refrain from selling, leasing, trading, or otherwise profiting from that biometric information.

In practice, BIPA has resulted in a flood of litigation in Illinois, especially class actions. This result stems from BIPA's having created a private right of action with liquidated statutory damages. Plaintiffs bringing claims under BIPA may seek actual or liquidated damages of either $1,000 per negligent violation or $5,000 per intentional or reckless violation. Reimbursement of attorney fees, as well as injunctive relief, are also available to the prevailing party In 2021, Facebook settled a BIPA class action over its photo-tagging software that cost the social media giant $650 million. TikTok similarly settled a class action for $92 million over its face detection in videos.

The Illinois Supreme Court's seminal case interpreting the standing requirements under BIPA is Rosenbachv.SixFlagsEntertainmentCorporation, 129 N.E.3d 1197 (Ill. 2019).As construed by the Illinois Supreme Court, actual damages, beyond a violation of the rights conferred by the statute, are not required to maintain a claim under BIPA. Therefore, as the Court concluded, "[A]n individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." Id. at 1207.

Armed with this presumed injury without proof of actual damages, plaintiffs have chosen, as a principal target of BIPA class actions, employers that track their employees' comings and goings using biometric scans — businesses that have replaced punch clocks with higher-tech fingerprint scans. The desire to replace seemingly old-fashioned punch clocks, in which individual employees insert a card into a device that time-stamps when the employee showed up for work, is based on suspicions of "buddy punching." Obviously biometric scanners would serve as a deterrent against workers who might insert the time cards of others to cover for their lateness.

When employers have failed to obtain their employees' informed consent, the circumstances have led to employee class actions with potentially large exposures based on BIPA's statutory damages. Consumer-facing businesses that track individuals' access to privileges using biometric data for security and convenience, such as fitness clubs, have also been targets.

Biometrics data privacy protection legislation throughout the United States

BIPA has influenced states throughout the country as they have considered their own biometric data privacy protection legislation. So far, however, none of the other states (leaving aside the municipality of New York City) with biometric data privacy protection legislation has adopted BIPA's broad private right of action. For example, Texas' Capture or Use Biometric Identifier Act (CUBI) in 2009 does not contain a private right of action, empowering only the Texas Attorney General to pursue violations instead. Tex. Bus. & Com. Code § 503.001.

However, the availability of attorney general enforcement of a public right of action is itself a significant aspect of the emerging laws regarding biometric data privacy to which businesses should pay careful attention. Texas Attorney General Ken Paxton recently filed suit against Facebook for violating the CUBI, alleging that Facebook illegally harvested millions of facial biometric templates on the social media site.

Washington's Biometric Privacy Act (WBPA), RCW 19.375.010 etseq., does not have a private cause of action. WBPA does not require notice or consent in some circumstances and contains a broad security exception, exempting entities collecting biometric information for a "security purpose."

New York City's biometrics ordinance applies to "commercial establishments," which are defined as "food and drink establishments, places of entertainment, and retail stores," that collect, retain, convert, store, or share biometric identifier information from customers. The ordinance provides that regulated businesses are required to post clear, conspicuous notices near all customer entrances.N.Y.C. Admin. Code § 22-1201 etseq. However, while (as previously mentioned) the city ordinance creates a private right of action, it is subject to a 30-day notice-and-cure period. Statutory damages range from $500 to $5,000 per violation, along with attorney fees.

The California Consumer Privacy Act (CCPA), which extends to biometric data, has a private right of action. Next year (2023), the CCPA will be strengthened in protections under the California Privacy Rights Act (CPRA), which creates, among other things, an enforcement agency.

Under the existing CCPA, a private claim must be based on a "business's violation of the duty to implement and maintain reasonable security procedures" resulting in "unauthorized access and exfiltration, theft, or disclosure" of the consumer's nonencrypted or nonredacted personal information. Cal. Civ. Code § 1798.150. However, the debate over protecting biometric data as a special class of data warranting extra protection continues, with a bill having been introduced recently in the California Legislature that would adopt an express private right of action similar to BIPA's.

Conclusion

As legislators are looking to adopt updated data privacy laws in their states, they are studying Illinois' BIPA in addressing issues relating to the special case of biometric data. The large scale of class-action litigation in Illinois resulting from BIPA has garnered attention from legislators (and lobbyists for interested consumer technology companies) wanting to minimize similar waves of litigation arising from private rights of action.

With many new data privacy statutes already passed in Virginia, Colorado, and Utah, and going into effect in 2023, and others likely to be passed this year, these developments should be carefully monitored by lawyers advising clients on data privacy issues, including employment lawyers who should review employee handbooks and policies for issues relating to informed consent to use employees' biometric data.

Register now for FREE unlimited access to Reuters.com
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Fredric D. Bellamy is a partner with Dickinson Wright PLLC, where he practices business litigation. His cases frequently involve scientific, technological, or other complex issues, including those relating to cybersecurity and data privacy issues, insurance coverage, environmental and toxic tort, and intellectual property claims. In 2018, he received a certification from Harvard's Office of the Vice Provost for Advances in Learning following completion of the course, "Cybersecurity: Managing Risk in the Information Age." He is based in Phoenix and can be reached at fbellamy@dickinsonwright.com.