Biometric Data and Privacy Law Grow Increasingly Complex
A recent study by Spiceworks suggests that by 2020, nearly 90% of businesses will be using biometric technologies for a variety of security and business purposes. The proliferation of these technologies has led to a significant spike in legislation and litigation related to the use and protection of biometric data.
Biometrics and Privacy Law
Biometric refers to a physical characteristic such as a fingerprint or retina scan that can be used to identify an individual. When this information is collected, it becomes a piece of data that can be used to validate network authentication, building access, time and attendance, and other applications. If that biometric data is stolen, it could be used to defeat those security controls or to commit identity theft and other financial crimes.
Several states have implemented laws to regulate the collection, storage, and privacy of biometric data:
Illinois was the first with its 2008 passage of the Biometric Information Privacy Act (BIPA), 740 ILCS 14. Washington and Texas have similar laws.
A California statute is set to go into effect on Jan. 1, 2020.
Florida, Massachusetts, Arizona, Idaho, and New York have also proposed such legislation.
These regulations have provided the basis for a spate of lawsuits against companies that collect biometric data. In Illinois alone, there have been more than 200 BIPA-related lawsuits in the past two years. Privacy experts anticipate that number will increase following a January ruling by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. The court held that consumers have a right to sue companies for improperly collecting biometric data and are entitled to liquidated damages and attorneys’ fees even if they don’t suffer actual harm.
BIPA Puts Biometrics in a Special Category
Every state and the federal government have laws protecting the privacy of personally identifiable information (PII) such as Social Security numbers, driver’s license numbers, and financial account numbers. Generally, public- and private-sector entities that collect and store PII must take steps to safeguard it and notify individuals whose information is exposed in a cybersecurity breach.
BIPA places biometric data in a unique category. The law notes that biometrics are “biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
In light of that, BIPA requires private-sector entities to:
Inform individuals in writing that biometric data is being collected
Inform them of the purpose of such collection and how long the data will be held
Entities must also obtain the subject’s written consent before collecting the data.
The law provides that “any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party.” This is a key distinction in Illinois’ approach. While other statutes limit enforcement to the state’s attorney general, BIPA creates a private right of action allowing consumers to seek monetary relief for violations. The penalties are substantial—the greater of $1,000 or actual damages for each negligent violation and $5,000 or actual damages for each willful violation, plus attorneys’ fees and costs.
In Rosenbach, the plaintiff alleged that Six Flags violated several BIPA provisions in 2014 when it required her teenage son to provide a fingerprint scan to purchase a season pass. Six Flags argued that the plaintiff lacked standing to sue because her son did not suffer any actual injury. A lower court ruled in favor of Six Flags, but the state supreme court reversed, noting that any time an entity violates BIPA, the individual’s right to biometric privacy “vanishes into thin air.”
Legislative Action Is Not Keeping Up With Advances in Technology
Just a month earlier, in December 2018, the U.S. District Court for the Eastern District of Illinois ruled against the plaintiffs in a noteworthy BIPA case involving tech giant Google.
In Rivera v. Google, 162018 WL 6830332, (N.D. Ill. Dec. 29, 2018), the plaintiffs argued that the facial recognition feature of Google Photos collects facial scans without consent. The court granted Google’s motion for summary judgment, holding that the plaintiffs could not establish Article III standing to sue, that they were not “aggrieved” within the meaning of BIPA, and that they were not entitled to relief because they suffered no harm.
In a footnote, Judge Edmond Chang opined that older laws such as BIPA are an imperfect fit for today’s technology, which advances at a rapid pace. “The difficulty in predicting technological advances and their legal effects is one reason why legislative pronouncements with minimum statutory damages and fee-shifting might reasonably be considered a too-blunt instrument for dealing with technology.”
The state appellate court in Rottner v Palm Beach Tan, No. 15 CH 16695 (Ill. Cir. Ct. Dec. 20, 2016), came to a similar conclusion, holding that an individual alleging only technical violations of BIPA was not entitled to liquidated damages, effectively eliminating the incentive to sue. The judge surmised that the legislative intent of BIPA “was not to put companies out of business but to keep companies in compliance with the law.” However, that opinion predated Rosenbach.
The Rosenbach decision may well mean economic doom for Illinois companies sued for technical violations of BIPA. One class action lawsuit could easily mean millions of dollars in damages, fees, and costs. Now that the Illinois Supreme Court has spoken on the issue, the Illinois legislature will need to amend the law to prevent this result.
Learn More About Data Privacy and the Law
As privacy laws continue to be challenged by the developing field of biometric data, cybersecurity and privacy legal experts will be increasingly needed in both the public and private sector. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues and an online Juris Doctor for those who wish to become a practicing attorney in California. Single courses in technology and the law are also available. Request more information today.