Biometric technology has revolutionized the way our clients conduct business, how consumers interact with products, and ultimately, how we as lawyers provide counsel. Biometric data, as defined by the National Institute of Standards and Technology, is the measurement of physiological characteristics like—but not limited to—fingerprint, iris patterns, or facial features that can be used to identify an individual. Biometrics has become so commonplace in our everyday lives that we often take for granted its presence when unlocking our phones—fingerprint and facial recognition—or yelling at Siri/Alexa to set that next calendar appointment—voice recognition. A growing number of entities have incorporated biometric data into their daily operations as tools to streamline their systems, prevent timekeeping fraud, and improve the strength and integrity of operational security.
As convenient and familiar as biometrics has become, though, its presence is no greater felt than in the flood of legislation and litigation arising from concerns over how this non-traditional data will be managed. The legislative horizon is murky, to say the least. However, a few states—Illinois, Washington, and Texas—have taken up the mantle and spearheaded the cause for effecting comprehensive biometric data privacy legislation. As it stands, the states have taken dual approaches. Some, like Delaware, New Jersey and North Carolina have opted to amend existing breach notification laws to include biometric data under sensitive personal information; whereas, others, like Alaska, Montana, and Connecticut, are fighting to get biometric specific legislation passed in their respective states.
Illinois’ Biometric Information Privacy Act (BIPA) was the first of its kind, passed in 2008. The hallmark of BIPA is its private right of action, which, admittedly, has caused grief for defendants both in and out of Illinois. 740 ILCS 14/1. Texas—Capture or Use of Biometric Identifier, Tex. Bus. & Com. Code Ann. §503.00—and Washington—H.B. 1493— both followed in Illinois’ footsteps, carving out biometric statutes of their own. Unlike Illinois, Texas and Washington forewent the private right of action, instead choosing to leave potential suits to the discretion of the state Attorney Generals. All of the statutes, though, implement notice and consent requirements for the collection of biometric data; and, they all propose stiff penalties for those found in violation, with Texas leading the charge at up to $25,000 in statutory damages per violation.
While the majority, if not all, of biometric litigation seen thus far stems from BIPA, the trajectory of those cases is still instructive as to other jurisdictions, given that BIPA may be applicable beyond the borders of Illinois. As noted, BIPA was responsible, specifically in the last quarter of 207, for over fifty putative class action suits filed in Illinois state courts. Those suits can be separated into two large categories: 1) employees alleging that employers used biometric timekeeping technologies without obtaining the statutorily required consent and/or publishing clear data policies, and 2) consumers alleging that businesses collected their data during transactions without disclosing what they were doing, and again, obtaining the necessary consent.
Despite the onslaught of BIPA litigation, a December ruling from the Illinois Appellate Court curtailed plaintiffs’ rush to the courthouse. In Rosenbach v. Six Flags & Great America, 2017 IL App (2d) 170317, the plaintiff alleged that Six Flags neither obtained written consent nor disclosed its policies for the collection biometric data—in this instance, fingerprints— gathered during season pass purchase transactions. According to the Court, though, plaintiff failed to allege actual harm, asserting that if she knew of Six Flag’s biometric policy, she would not have allowed her son to complete the season pass transaction. The Court zeroed in on BIPA’s “aggrieved by” language, looking to the plain meaning of the term. Ultimately, the Court held that a BIPA plaintiff is required to do more than allege a technical violation of the Act, and that a defendant’s failure to provide notice or obtain consent before collecting biometric data was not enough to meet BIPA’s “aggrieved by” standard.
Beyond the Rosenbach case, Rivera v. Google Inc., 238 F. Supp. 3d 1088, 1090-91 (N.D. Ill. 2017), is another instructive suit that helps to better define the broad categorization of data that warrants protection under BIPA. In Rivera, plaintiffs’ class claimed that Google created facial templates from photos uploaded to Google Photos. Plaintiffs alleged that the collection of their biometric data triggered BIPA, given that Google both failed to obtain written consent and to disclose its biometric data retention policy. Google’s counterargument centered on the fact that BIPA expressly excludes photographs from its categorization of biometric identifiers, and that facial scans must be taken in person to trigger the Act. The District Court, to Google’s chagrin, entered an order explaining that, “nothing in the text of the Privacy Act [BIPA] directly supports . . . [Google’s] interpretation. Nothing in the statute says, one way or the other, how the biometric measurements must be obtained.” Practically speaking, Rivera creates yet another boon for defendants in the grander context of potential biometric litigation, imploring businesses to be even warier of their data collection practices.
The final installment in the BIPA trifecta is In re Facebook Biometric Information Privacy Litigation & Gullen v. Facebook Inc. (Northern District of California), a case that is continuing to attract attention. In re Facebook is actively testing the limits of just how far BIPA’s statutory protections may reach. Plaintiffs, whose ranks are now whittled down to only users of the social media platform, alleged that Facebook did not obtain “written, informed consent” for using facial recognition software to suggest “tagging” options to friends. Plaintiffs also asserted that Facebook has no formal data retention policy and that the language contained therein is ambiguous. Facebook, arguing under both the Supreme Court’s Spokeo ruling and the earlier decided Rosenbach case, claimed that plaintiffs had shown no actual harm. The Court, however, has rejected that argument, explaining that BIPA codifies a right of privacy with regard to personal biometric information, and that a violation of that right, alone, is enough harm to sustain plaintiffs’ case. Most recently, the Court, having concluded that plaintiffs alleged a concrete injury sufficient to establish Article III standing, granted class certification. In re Facebook, though still yet to be decided, symbolizes a sort of reversal from Rosenbach, as the debate continues on whether a technical violation of BIPA is sufficient to merit standing.
Given that biometrics is a now, permanent staple, legal counsel for clients in affected industries should start to consider how best to shield their clients from the sting of litigation. Rosenbach, Google, and In re Facebook, collectively indicate that biometric protections may be applicable to more types of data than initially thought, and that those protections may extend well beyond the borders of the state that implemented the statutes. Lawyers, then, should begin charting out potential defense positions, including the scope and reach of any applicable biometric and data privacy statutes, as well as jurisdictional issues, choice of law arguments, and standing issues, that could help squelch the threat of litigation to their clients. Moreover, lawyers would also do well to determine the types of personal information that their clients collect, keeping an eye on the methods and stated policies for storage, retention, and destruction thereof. Inquiries should also be made as to who the client’s service providers and vendors are and, whether their contracts include data privacy provisions.
After lawyers get a basic idea of their client’s security framework, they should then advise the client on next steps. The strongest measure of protection from potential litigation is having a thoroughly developed, clearly established written policy as to the organization’s security plan. Counsel should ensure that clients understand the value of internal privacy training and the imperative to regularly conduct privacy risk assessments. If you and the client are familiar with your risk areas, then you will be better able to mitigate and remedy them. Effective lawyering in this age of biometric technology undoubtedly includes ensuring that your clients have a data response plan in place so as to eliminate additional confusion in the event of a breach. Admittedly, less is best when it comes to the collection of data; however, with effective preparation and a well-hatched security and response plan, clients can help reduce the likelihood of incident and the cost of litigation associated with data in general, and biometric data in particular.
Republished with permission. The article first appeared in Raising the Bar on June 15, 2018.