The Face of the Future: Developments in Biometric Privacy Law and Litigation

There are certain parts of a person’s identity that are immutable, unchangeable, and biologically unique to them and only them. From the sound of a voice to the contours of a face to the barely detectable nuances in a person’s fingerprints, a few select aspects of their identity are so inimitable that companies have started to see them for what they truly are—a gold mine of untapped commercial value.

Growing numbers of vendors and businesses are implementing biometric data into their operating systems as a means of preventing timekeeper fraud, of strengthening internal security, and of streamlining the efficiency of their operations overall. As biometric data usage becomes more prevalent—think mobile devices or bank any-time teller machines—state courts and legislatures alike are attempting to define the contours of acceptable and best practices for all involved. While the legislative horizon still remains murky for some states, there are a select few, Illinois, Washington, and Texas, who have taken up the helm and pioneered the cause for implementing comprehensive biometric data privacy legislation.

Illinois

Illinois did it first and arguably, best; it, being the implementation of the nation’s first Biometric Information Privacy Act (“BIPA”) in 2008—HB2411. Illinois’ BIPA sets forth a thorough system of rules aimed at better controlling the commercial entities who choose to collect consumer biometric data. Some of the most notable highlights of BIPA include its notice and informed consent requirement, its prohibition on commercial profiteering of biometric data, its limitation on accepted disclosures, and its directive that collecting entities adhere to strict guidelines in both the protection and storage of biometric information. The best part of BIPA, from a consumer standpoint however, is the creation of a private right of action for citizens alleging biometric data privacy violations. Under BIPA, an affected individual may recover $1,000 for each negligent violation and upwards of $5,000 for any violation deemed willful and/or reckless.

Increased Litigation Under BIPA

For what seemed like the longest time following its enactment, there were virtually no claims filed under Illinois’ Biometric Privacy Act. However, in the past year nearly forty class actions have been brought under BIPA, mostly by employees, alleging that their companies’ use of biometric data violated individual privacy rights under the Act. The majority of the suits arise from a recent employment trend whereby companies use the collection of biometric data e.g., fingerprints and/or facial recognition, for timekeeping or heightened security measures. The complaints, all starkly similar, assert the invariable nature of biometric identifiers renders the data more sensitive than other identifiers, like Social Security numbers which can be changed.

While the suits all allege technical violations such as failures to communicate with individuals regarding the intent to collect the data, and businesses neglecting to obtain informed consent prior to the use and storage of biometric identifiers, there have not been any allegations of actual damages or losses of biometric data. Plaintiffs’ lawyers, then, are filing preemptive class action suits to take advantage of BIPA’s express authorization of private rights of action. If the volume of cases filed in October 2017 just within the Cook County Circuit Court are an indication of what is to come, then the tide of consumer-BIPA litigation shows no sign of calming any time soon.

An Un-dynamic Duo

Unlike their predecessor, neither the Washington Biometric Privacy Act (HB1493), nor the Texas Biometric Identifier Statute (Bus. & Com. §503.001) provides consumers with a private right of action to sue for alleged violations, which explains the lack of similar class actions in those states. Both laws, though, explicitly include similar notice and consent requirements necessary before an entity may use biometric information for commercial purposes.

Texas

Specifically, the Texas law, much like the Illinois BIPA, limits the sale or disclosure of a person’s biometric identifiers to four instances: 1) to identify someone who has disappeared or died, 2) to complete a financial transaction, 3) as required or allowed by other state law, and 4) to law enforcement agencies for purposes in response to a warrant. While the limits of disclosure are arguably clear, Texas, like its predecessor, falters towards vagueness in the regulation of both the storage and destruction of biometric identifiers once collected. Section 503.001 only charges entities with “reasonable care” in the storage of this priceless information; it likewise gives entities a “reasonable time” to destroy the information. While a reasonableness standard may be acceptable and understood in other contexts, the relative newness of consumer biometric technology necessitates a more clear delineation of what entities should and should not do. The apparent saving grace of Texas’ biometric statute is that each violation tacks on $25,000 in civil penalties, a major increase from BIPA standards; this hefty source of remuneration, however, is chilled by the fact that only the attorney general can bring an action to recover for biometric privacy violations.

Washington

The Washington legislature, like its Texas counterpart, also tried its hand at safeguarding consumer biometric data through the implementation of HB1493. The most noticeable difference in Washington’s choice of language is that in addition to requiring notice and consent, it also tasks commercial entities with “providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” Also, Washington expands the instances where disclosure is permitted, allowing for entities to share biometric information with third parties who contractually promise not to disclose the data and not to use it in ways incongruous with the notice and consent obtained from the original consumer.

While HB1493 echoes the “reasonable care” standards of both Illinois’ HB2411 and Texas’ §503.001, it goes a step further with the added order that entities must protect against or prevent actual fraud, criminal activity, claims, and the like. A closer reading of the fine print, though, uncovers that Washington’s protections only extend to “enrolled” biometric identifiers. If, for instance, a customer decided they no longer wanted to participate in touch-ID for a banking account, then the statute appears to leave their biometric identity susceptible. Washington, like Texas, and to the chagrin of its citizens, takes a lot of the sting out of its statute by eliminating the private cause of action and placing the onus of enforcement squarely on the attorney general. Further, HB1493 is deftly silent on how much a violation of the biometric privacy law could potentially cost a commercial entity.

What to Expect

In addition to the three jurisdictions detailed above, states like Montana, Idaho, Alaska, California, New Hampshire, and Connecticut, among others, have jumped on the bandwagon and introduced some form of Biometric Privacy legislation, or augmented existing data privacy laws to include biometric language. In all of these states, though, the majority of their initiatives have floundered and failed leaving consumers still vulnerable to the collection, storage, and potential commercial exploitation of their biometric identifying information.

With the proliferation of facial recognition and touch-ID technology, it is evident that we are long past the point of no return. Biometric data is quickly becoming a commodity and if our legislatures do not find a way to manage it, it will undoubtedly manage us. Although only a smattering of states have attempted to wrangle the unchartered territory of biometric data privacy, in the coming legislative sessions, we should expect to see some of the failed bills revived, as well as the introduction of comparable legislation in some of the states who have been slower to take action.

This article first appeared in DRI’s Data and Security Dispatch on December 8, 2017.