Use cases for biometric data are expanding in ways both fascinating and frightening. Today, employers use fingerprints to track employees’ hours, retail stores implement facial scans to identify troublesome customers, and office buildings are equipped with biometric security access.
The use of biometrics, however, brings significant legal risk as states implement and enforce laws seeking to protect individuals’ privacy. For example, Illinois’ Biometric Information Privacy Act creates a private right of action, and violations can carry significant statutory damages. BIPA claims are often combined in class actions, exponentially increasing financial risk.
As a result, businesses around the country have been surprised to find themselves facing hundreds of millions of dollars in legal exposure.
Businesses Must Be Aware of Laws Around Biometrics
BIPA governs the collection, retention, disclosure, storage, transfer and deletion of biometric data, including retina, iris and hand scans; face geometry; fingerprints; and voiceprints. It requires that companies collecting or possessing biometric data develop a written policy, made available to the public, that establishes a retention schedule and plan for deleting the data.
Companies must provide any person whose data will be captured with written notice of the collection and of the specific purpose and length of time the data will be collected, stored and used. The company must also obtain a written release from every participant, and the data must be stored no less securely than the way other confidential information is stored.
BIPA is a class-action lawyer’s dream come true. Even technical, unintentional violations can place a company in grave jeopardy. Individuals can sue for at least $1,000 per violation. No actual harm must be demonstrated. If a plaintiff establishes the violation was intentional, the damages increase to $5,000.
Biometric Regulation Is a National Issue
Damages can accrue quickly. Some class-action complaints have argued that every time a company captures biometric data, such as when an employee uses a thumbprint on a lock, counts as a separate violation — each with a minimum penalty of $1,000. Such thumbprints might be used hundreds of times a week.
Although BIPA is an Illinois law, BIPA litigation has not been limited to Illinois. In April 2018, a California federal court certified a class of individuals in relation to Facebook’s alleged BIPA violations. The class includes all Facebook users in Illinois whose facial templates have been created and stored by Facebook — more than a million people.
At least seven other states are considering laws like BIPA that allow a private right of action. An increasing number of states are also including biometric data within the definition of “personal information” in already existing data breach notification laws. Other states will likely follow.
None of this is to say that businesses should not deploy biometric technologies, which offer significant benefits to companies, employees and customers. Efficiency, security and convenience are all bolstered by biometric identification systems, which render passwords and security badges obsolete.
But wherever a business is located, if it is considering biometrics, it should develop written, publicly available policies that explain the reason for the data collection, the retention schedule and guidelines for destroying biometric data. It should also get written consent before collecting anyone’s -biometric data and protect that data in the same manner that the business would protect other confidential information.