COVID-19 is accelerating company adoption of biometric technologies. With a global shift towards remote working, biometric technologies, which measure physiological, behavioral, and psychological characteristics, can promote, or at least monitor, productivity by recording employee performance. Facial recognition biometric systems have also been vital in contactless engagement, especially in the airline and retail sectors, and such systems will remain after the pandemic subsides. This burgeoning biometric industry is garnering interest from lawmakers. Given the firm’s technology-driven focus, Octillo has been tracking biometric laws and will continue to monitor legal and business developments surrounding biometric technologies.
Biometric Data and the Law
Unlike other personal data, such as passwords, social security numbers, and payment card information, biometric identifiers cannot easily be changed once breached. Because they are immutable by nature, regulations classify them as a sensitive class of personal data. Notable laws that govern biometric data include the E.U. Global Data Protection Regulation (GDPR) and U.S. state laws, including California's comprehensive privacy law. Three states, Illinois, Texas, and Washington, have passed biometric specific laws. New York State recently introduced the Biometric Privacy Act, a bill that is nearly identical to Illinois' BIPA, and other states, such as Arkansas and California have amended their breach notification laws to reflect biometric data as personal identifying information.
The first step to knowing whether biometric regulations apply to your business is understanding the definition of biometric data. The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” Art. 4(14). Similarly, U.S. biometric laws protect biometric data characterized in terms of personal identifiers, including retina scan, iris scan, fingerprint, voiceprint, hand scan, and face geometry. For example, the Illinois Biometric Data Act (BIPA) defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.” Sec.10.
U.S. Biometric Litigation Trends
Recent rulings in biometric litigation indicate that BIPA currently drives the legal landscape on biometric data protection in the U.S. BIPA litigation is on the rise following the Illinois Supreme Court 2019 decision in Rosenbach v. Six Flags. The plaintiff in Rosenbach was the mother of a minor whose fingerprint was captured to verify his identity for entry to an amusement park owned by the defendant. The Court rejected the defendant’s allegations that the plaintiff had not suffered any actual or threatened harm. Consequently, the Court held a plaintiff can sue based on a mere technical violation of the law. This decision means that a person does not have to suffer actual harm to pursue a biometric suit under BIPA. Further, federal courts have agreed that failure to implement privacy policies outlining procedures for collection, retention, and destruction of biometric identifiers is sufficient to demonstrate a violation of the law. For example, in May 2020, the Seventh Circuit in Bryant v. Compass found the Rosenbach ruling instructive in holding the plaintiff can pursue a lawsuit against a vending machine operator if the vending machine installed at a workplace integrated biometric authentication in lieu of credit card payments.
The types of companies involved in BIPA litigation are diverse. Any company that collects, stores, or uses biometric information related to Illinois residents is subject to BIPA. To that end, no industry seems immune: plaintiffs have sued big tech companies using facial recognition technologies and smaller companies, such as nursing homes, using fingerprinting systems for timekeeping. The Compass ruling illustrates that third-party vendors who provide biometric authentication systems in the workplace are within the reach of BIPA.
The diversity in cases signals the legislative impact of the law and spotlights the role of privacy policies and procedures. BIPA is the only biometric law in the U.S that allows individuals to sue a company for damages in amounts ranging from $1,000 to $5,000 per violation. Thus, the stakes can be high for companies without proper biometric data governance.
What should companies do?
To comply with the evolving BIPA compliance and other biometric laws, companies should work with experienced lawyers who understand biometric technologies and regulations to address the following controls and practices:
- Properly inform individuals or responsible parties about the purpose of collecting their biometric data.
- Properly inform individuals or responsible parties about the company’s biometric collection, retention, storage, and dissemination policies and procedures.
- Obtain written consent from individuals or their responsible party before collecting biometric data.
- Make the company’s written biometric policy establishing retention schedule and destruction guidelines publicly available.
A robust biometric compliance program should reflect current laws and be flexible and scalable to adapt to the changes laws that new biometric legal rules will inevitably bring to their privacy compliance programs. Octillo's lawyers, who are also technologists, are equipped with the skills and experience to build a robust biometric compliance program. We stand ready to answer any of your questions.
*Attorney Advertising. Prior results do not guarantee future outcomes.