Biometric technology data is generated more frequently these days in private and professional settings as authentication methods like fingerprint scanning, facial recognition, and voice recognition are becoming standard on modern devices. Many organizations use technology with biometric capabilities for employee or vendor identification and to carry out consumer transactions. Virtual try-on options for products like eyeglasses or makeup that rely on facial biometrics are gaining popularity in the retail industry. Social media platforms also commonly rely on biometrics for filters, lenses, and sign-on verification.

In response to the widespread use of this technology, more states are focusing on regulating the collection and use of biometric data to advance consumer privacy objectives. Organizations handling this information need to know what laws currently apply and are on the horizon. Now is the time to incorporate biometric data policies into information governance and security initiatives, litigation readiness plans, and compliance efforts.

Current State of Biometric Privacy Legislation

In 2008, Illinois was the first state to directly regulate biometric data through the lens of consumer privacy. The state’s Biometric Information Privacy Act (BIPA) is a strict law applying to how organizations collect, use, safeguard, handle, store, retain, and destroy this type of consumer data. The cornerstone of the law is to notify individuals, provide intended use disclosures, and gain consent before collecting biometric information. Sale is prohibited and policies regarding data retention and destruction need to be available to the public. Private lawsuits are authorized and prospective plaintiffs do not need to show actual harm, as procedural violations under the statute are enough to establish standing. As such, several individual lawsuits and class actions have spurred from Illinois’ BIPA and organizations under the law’s purview need to ramp up compliance efforts and monitor relevant court decisions.

Texas and Washington have followed suit and enacted biometric privacy laws similar to those in Illinois. Other states regulate biometric data more narrowly or through other broader state laws. For example, the California Consumer Privacy Act applies to biometric information. When the expanded California Privacy Rights Act becomes effective in 2023, it will still apply to this type of data and provide consumers with more protections. New York’s SHIELD Act is a detailed data security law expanding breach notification obligations that applies to biometric data. A breach response law in Arkansas now also covers biometric data. Lastly, several other states like Maine and Utah specifically regulate facial recognition technology.

This year, almost 30 states had BIPA-like legislation pending. While some did not make it, others are still pending, including bills that would regulate biometric data less comprehensively. As of November 2021, 14 states had proposed bills pending that would regulate biometric data to some degree. Currently, only Illinois and California allow for a private right of action. However, some of the pending laws regulating biometric data usage would also grant this right and it is crucial to monitor any major developments that occur during the 2022 and 2023 legislative sessions.

Since 2020, a proposed federal law regulating the privacy of biometric information has been under review. The FTC has also increased enforcement involving biometric data collected via facial recognition technology.

Biometric privacy regulation is also surfacing at the local level in two major cities and both laws grant consumers a private right of action for violations. In Portland, Oregon, an ordinance became effective this year implementing a broad ban on the use of facial recognition technology by private organizations. New York City also enacted an ordinance this July applying to commercial establishments that requires consumer notification when an organization uses biometric technology through direct disclosure or a noticeable sign near the building’s physical entrance. Data sales are prohibited and there is a 30-day cure period before a lawsuit is authorized.

All of this legislation illustrates the nationwide trend of taking measures to safeguard biometric data. Organizations need to prepare for an even larger focus on this issue in the coming years through new legislation, individual lawsuits, and class actions.

How to Anticipate and Reduce Risks

The increase in biometric privacy legislation throughout the U.S. means that exposure risks are higher. Some BIPA class actions have already resulted in hefty settlements. Organizations that collect and use biometric information need to respond appropriately to safeguard data and reach compliance with applicable laws. Below are some ways to prepare for new or anticipated compliance obligations and lessen the risks:

1. Closely monitor pending legislation: With all the pending biometric privacy laws on the table, organizations need to keep tabs on what passes. This applies to laws outside of state borders because if the organization does business in another state with an active biometric law or headquarters are in another state, the statute itself or court interpretation may allow a suit to move forward. Understanding which laws apply to an organization improves compliance efforts and lays the foundation for creating new policies, risk management strategies, and litigation plans.

2. Review key biometric privacy case law: Even with the flood of lawsuits under Illinois’ BIPA, there are still many ambiguities courts need to address. This includes issues surrounding jurisdiction, damages, statute of limitations, and more. With a flurry of BIPA-like legislation on the horizon in other states that would also allow for private lawsuits, litigation risk is significantly amplified. Some pending statutes allow for expanded damages including attorney fees, treble damages, and punitive damages. Other laws like New York City’s ordinance extend liability past social media companies and encompass commercial establishments. As such, once an organization establishes which laws apply to their data processing activities it can determine which case law to closely monitor and adjust policies accordingly.

   Also pay close attention to key BIPA interpretations in the coming years, as they will be influential as other jurisdictions begin to pass and interpret their biometric privacy laws. For example, in the recent appellate case Tims v. Black Horse Carriers, 2021 IL App (1st) 200563 (Sep. 17, 2021) the judge concluded that certain sections of BIPA allow for a one-year statute of limitations while others warrant five years. Additionally, when an individual suffers multiple violations, they can recover the maximum liquidated damages for each separate violation. All of this significantly increases class action litigation exposure, although it is important to note that the statute of limitations issue is also currently pending in the third district. This is just one example of the myriad of BIPA-related issues flooding the courts, so litigators and consumers need to monitor what makes it before the Supreme Court to gain some clarification.

3. Address biometric technology in information governance initiatives: organizations around the U.S. that collect and process biometric information should be more careful when handling this data as new compliance obligations are inevitable. Being proactive and anticipating this when carrying out information governance initiatives will reduce future exposure risks. Best practices include:

   • Creating specific policies around handling biometric data that also account for sale prohibitions
   • Reviewing security systems to address gaps and update them accordingly
   • Collaborating with legal to create risk management strategies and compliance plans around biometric privacy
   • Drafting notice templates
   • Holding internal training exercises

Organizations subject to laws with a right to cure also need to have specific policies outlining how to reply when a consumer alleges violation, appropriate measures to cure the issue, and steps to take when a lawsuit is filed.

All of these proactive efforts place an organization ahead of the compliance curve and will significantly decrease the potential of lawsuits with merit. This results in stronger risk management, lowered litigation costs, maintained reputation, and safer consumer data.

For more information on how Epiq can help you, click here.