More Businesses Using Biometric Data Means More Regulation
- Information governance
- 3 Mins
Biometric data continues to take up a massive amount of space in the digital universe. Fingerprints, facial scans, and voice recognition are staples of modern devices and are regularly integrated into business models.
Think about how biometric technology plays a role in tools for employee identification, automated voice assistants, virtual try-ons, account sign-on verification, event access, and social media filters, to name a few. Organizations may collect this data not only in the regular course of business, but also during discovery for a lawsuit or investigation. As a result, the U.S. has experienced more pressure for regulation in recent years. This body of law continues to evolve so do not forget to turn alerts on for biometric updates in the legal space to keep on top of pivotal decisions and legislative trends.
Recent Case Law
Illinois was the first state to directly regulate biometric data through the lens of consumer privacy in 2008 via the Biometric Information Privacy Act (BIPA). This strict law applies to how organizations collect, use, safeguard, handle, store, retain, and destroy biometric consumer data and has been a groundbreaking piece of legislation not only in Illinois but throughout the nation.
Private lawsuits are authorized and prospective plaintiffs do not need to show actual harm to establish standing. A procedural violation is sufficient to file a BIPA lawsuit, including class actions. This has resulted in a flurry of litigation since its inception fifteen years ago, with some pivotal decisions and trends materializing the past year. Take a look below:
- The first BIPA class action went to verdict in October 2022. In Rogers v. BNSF, the issue was an employer collecting biometric data without employee consent or notice of data retention policies. The unique part of this case is that the employer did not directly violate BIPA, but it was instead a third-party that collected and used this data in violation of statutory mandates. The jury quickly entered a verdict in favor of plaintiffs finding reckless/intentional statutory violations 45,600 times. Each fingerprint scan counted as a violation and constituted a separate $5,000 award. The court entered total damages in the amount of $228 million. This verdict puts employers on notice that they can face vicarious liability for the unlawful actions of vendors and be subject to high monetary penalties.
- On Feb. 3, 2022, the Illinois Supreme Court in McDonald v. Symphony Bronzeville Park ruled that the worker’s compensation statue does not preempt BIPA. This eliminated a key employer defense and continues the trend of courts broadly interpreting this law. Further widening the floodgate potential in turn raises exposure risk as BIPA damages can be quite high.
- Trends include lawsuits centering on facial recognition data collection and targeting retailers. Examples are virtual try-ons, AI-enabled voice assistants, and similar technologies. Courts are also interpreting facial scans broadly, such as encompassing bystanders captured on outdoor video from a private residence.
- Case law dictates that it does not take much to proceed past the pleadings stage. Many motions to dismiss have proved unsuccessful and cases proceed to the discovery phase.
- On Feb. 2, 2023, the Illinois Supreme Court rendered a pivotal decision regarding statute of limitations. BIPA does not provide a limitations period, so the Illinois Code of Civil Procedure governs. There was debate regarding whether provisions applying a one-year or five-year limitations period applied. The court ruled that the five-year catch-all provision applies to all BIPA claims.
- On Feb. 17, 2023, the Illinois Supreme Court came down with another key ruling confirming that plaintiffs can bring claims for each time an organization unlawfully collects or discloses their information. It was a close call and the majority recognized the extreme liability this could place on defendants and left discretion to the trial courts on how to enter damages. The Court attributed the ruling to the plain language of the statute and said that lawmakers would need to make any changes in this regard.
There are notable underlying themes. Courts are continuing to interpret BIPA broadly to put organizations on notice about unacceptable data hygiene practices. It does not take much to establish a cause of action, the potential plaintiff pool is wide in class actions, statute of limitations is longer, damages can be massive, and liability is expanding to third-party actions. The explosion of BIPA litigation seen over recent years will not slow down anytime soon, so organizations need to regularly evaluate their exposure risk and take steps to mitigate proactively. Failure to do so could result in BIPA-related litigation costs and monetary liability.
Texas and Washington have similar biometric laws on the books, but do not allow for a private right of action. It is important to know the similarities and differences between the three laws, but enforcement in Texas and Washington has not been anywhere near BIPA level due to the absence of this right to sue.
In 2022, there was a wave of state bills that signifies more states are trying hard to get a biometric law on the books. While none passed, as of January 2023 two bills have already been introduced in the new legislative session (Maryland and Mississippi). There is expected to be another flurry of biometric bills throughout the country this year as the sessions progress.
What is interesting about the 2022 bills is that they fell into several different buckets. Some were straight BIPA copycats. Others were hybrid bills incorporating both BIPA protections and those found in current consumer privacy laws. The third category was more targeted at facial recognition and voice data regulation. At a local level, Baltimore and Portland have already successfully passed laws targeting facial recognition in the private sector.
It is crucial to monitor what model prevails if and when more state bills pass into law. What will be especially interesting is whether any include a private right of action pass and how the resulting case law will mirror or differ from interpretation of the Illinois law. Also, whether more states decide to focus on targeted laws since facial recognition is currently the hot topic.
So, what should litigators and organizations handling biometric data be doing this year? Ramping up compliance efforts, monitoring relevant court decisions, and tracking legislative process outside of Illinois will be key. While BIPA can apply outside Illinois, new state laws that pass would add to the dominance of biometric litigation.
The correlation of more biometric data collection and increased regulatory attempts nationwide signifies the importance of how data trends drive legal action. Facial recognition will definitely be a continued focus and new trends will undoubtedly materialize. Organizations must understand their risk with biometric data collection so they can close gaps and stay ahead of the curve.