In 2018 we presented an article regarding the emergence of biometric information (BI) privacy laws and regulations, with some attention paid to the Illinois Biometric Information Protection Act (BIPA) as a potential template for other states. At the time, Illinois, Texas and Washington had fully developed laws protecting BI. Since 2018 only Arkansas has enacted a specific BI protection statute. However, pending legislation in other states and Congress signals an inevitable trend to protect BI. Biometrics have become a ubiquitous part of personal identification and authentication technology in all aspects of life in and out of the workplace.
Generally, like other more general personal information privacy protection statutes (there are some 34 states with pending privacy legislation in 2022), these laws regulate the collection, use, storage, protection and destruction of BI, including fingerprints, retina/iris scans, facial recognition, voiceprints, gait recognition, and other “immutable” characteristic identifiers. Fingerprint scanning, more so than facial recognition, is perhaps the predominant use of BI technology in the workplace today providing physical access to facilities and digital devices, and also helping track employee work patterns. Because BI protection is one aspect of the larger legislative agenda to enact comprehensive personal information privacy laws, businesses should be aware of the changing landscape to assess their practices for potential risks.
Litigation and laws
In the case of Illinois’ BIPA, alleged violations can be enforced by private lawsuits. Violations of the Illinois BIPA may come in the form of failing to adhere to the requirements for collecting and managing BI on the one hand, and improper publication or use on the other.
There has been a “deluge” of litigation in Illinois. In February 2022 a $15.3 million settlement was reached in the Kronos litigation relating to finger sensor timekeeping data. It was reported that in 2020 ADP and NovaTime settled similar claims for $25 million and $14 million, respectively. Facebook is reported to have reached a $650 million settlement. In a case against Six Flags, it is reported that a $36 million settlement was reached.
In Texas, the State Attorney General recently filed a suit against Facebook’s parent company, Meta Platforms Inc., seeking $25,000 for each violation of the BI statute and $10,000 for each violation of the state Deceptive Trade Practices statute. Whether by individuals or prosecutors, litigation to assert rights relating to BI will increase as more laws are passed.
Currently, 12 other states and the U.S. Senate have pending proposed legislation to enact some version of BI protections. California is considering a comprehensive Biometric Security Act in SB 1189 to become effective Jan. 1, 2023. California’s and New York’s proposed legislation is similar to the Illinois BIPA in its provision for private lawsuits to enforce the act and to compensate claimants for violations.
Maryland’s existing Personal Information Protection Act provides for notification of data security breaches including biometric data, which it defines as “personal information.” A recently proposed bill in Maryland would provide for civil enforcement through lawsuits and attorneys’ fees awards by deeming a violation an unfair, abusive or deceptive trade practice pursuant to its consumer protection laws.
On the national level, Senate Bill 4400 introduced by Senators Merkle and Sanders is an effort to codify a national regulatory and enforcement scheme for biometric information. Senate Bill 4400 defines BI and outlines permissive use and protections in the same manner as existing state laws. Like the Illinois and Washington laws, private litigation would be available to redress violations, including recovery of attorneys’ fees.
The currently enacted laws in Illinois and Washington are undergoing refinement. A search in the Illinois legislative database for pending legislation involving “biometrics” identified dozens of bills. Washington is considering amending its existing BI act so that a violation of the statute would create a rebuttable presumption of harm to the individual and would allow courts to impose damage awards of $10,000 per violation or actual damages, whichever is greater, plus punitive damages and attorneys’ fees for the prevailing plaintiff.
The headline-grabbing lawsuits and settlements focus on those class action claims against large data companies where potentially thousands of individual claims and millions (and potentially billions) of dollars are at stake. However, claims against smaller companies, businesses and employers utilizing BI data services also exist and, given the potential for the recovery of attorneys’ fees, are warnings of potential business risks. How state and federal laws, and particularly courts’ application of those laws, will affect businesses will continue to develop as these laws are enacted across the country.
Best practices to avoid risk
Some of the existing court decisions in this new but growing area of consumer and employment protection may provide guideposts for the future. In the Rosenbach v. Six Flags case, the Illinois Supreme Court held that an “aggrieved” party need not demonstrate actual “injury” in pursuit of private actions.
In a later case, the court determined that the “exclusive remedy” provisions of the state work comp act did not prevent BIPA claims against employers. And, as an example of how the BIPA impacts other related business, such as insurance, the Illinois Supreme Court held that a claim is covered under an insured’s general liability policy. In West Bend Insurance Company v. Krishna Schaumburg Tan, Inc. the court found that the insurer owed a duty to defend the claim and to provide indemnity coverage. Insurance carriers will monitor these developments closely and perhaps amend policy definitions to narrow available coverages.
Together, the legislative trend to enact protections and the historical increase in litigation engendered by the currently enacted laws suggest that companies will have to assess their risks if they use BI in any aspect of their business. Best practices to avoid those risks involve:
- Understand the applicable law; do currently enacted privacy laws contemplate BI?
- Identify the areas of the business for which BI will be used.
- Understand the technology used to collect, store and dispose of BI.
- If vendors are used, carefully consider the scope of their products and services, as well as any limitation of warranty remedies or use of disclaimers.
- Develop policies for the gathering, use, storage and destruction of BI, and updates to policies.
- Determine whether industry standards, such as ANSI or ISO standards, may provide guidance on implementing BI practices.
- Develop notices required for identifying the type of BI collected, its use, storage and destruction.
- Develop forms for those whose data is being collected, including any necessary release authorizations.
- Determine whether insurance policies provide coverage for claims either as employment practices or as part of the general liability coverage form.
By staying abreast of these imminent changes, potential risks can be identified and managed.