By: Anne McEnaney
As the use of biometrics in business becomes more ubiquitous, [1] companies must understand the legal implications attendant to the use of individuals’ private biometric information.[2] Biometric technologies analyze a person’s unique, measurable physical and behavioral characteristics to verify his or her identity.[3] Whether it be restricting facility access with fingerprint scanning[4] or clocking in with an iris scan,[5] companies use biometrics to save time, cut costs, and prevent fraud.[6] While biometric technology may provide companies economic and security benefits, the use of biometric technology exposes businesses to significant legal risks when they fail to comply with biometric data privacy statutes.[7]
In response to the increasing use of biometrics, three states – Illinois, Washington, and Texas – have enacted biometric information privacy statutes.[8] In general, these statutes require companies to notify individuals before using their biometrics, obtain their consent, and protect biometric data with a reasonable standard of care.[9] Biometric information privacy statutes also prohibit employers from selling biometric information, subject to certain exceptions.[10] Given the unique and permanent nature[11] of an individual’s biometric data, these statutes serve the important interest of protecting the public welfare.[12]
Of the three states with biometric information privacy statutes, the most stringent is Illinois’ Biometric Information Privacy Act (“BIPA”).[13] BIPA requires companies to first provide notice, obtain written consent, and make disclosures before collecting employees’ biometric data.[14] What most significantly distinguishes BIPA from the other states’ biometric information privacy statutes, however, is that BIPA includes a private right of action.[15] That is, in Illinois, private individuals may file suit against companies while in the other states public authorities hold companies accountable.[16]
However, what makes BIPA dangerous to companies is that, in 2019, the Illinois Supreme Court held that a party need not suffer actual injury to be considered “aggrieved” under BIPA.[17] Rather, a party must only show that the defendant company violated BIPA to have standing.[18] Upon a showing that a company violated BIPA, a plaintiff may be entitled to up to $5,000 in statutory damages per violation if the court finds that the violation is intentional or reckless.[19] Additionally, aggrieved parties may be entitled to injunctive relief and attorney’s fees.[20] For these reasons, plaintiff’s attorneys consider BIPA an attractive means to bring class-action suits against companies that operate in Illinois.[21] Facing costly class-actions, big-name companies like Facebook (now “Meta”),[22] and Tik Tok chose to settle for millions rather than run the risk of losing as trial.[23]
As more states consider passing biometric privacy legislation, companies should strengthen their policies surrounding the collection and storage of biometric information.[24] Specifically, companies would be wise to note what biometric data they use or intend on using and notify those whose information it plans on collecting.[25] Employers should also develop a written policy regarding the use, collection, and storage of biometric data and follow it strictly. While biometrics are a useful business tool, companies should be vigilant of its use and keep an eye out for new, local legislation to avoid liability.
[1] See COVID-19 and the Future of Biometrics, KPMG, https://info.kpmg.us/content/dam/info/en/techinnovation/pdf/2020/tech-disrupters-biometrics.pdf (last visited Feb. 10, 2022) (finding that 38% of companies have increased their investment in biometrics by 20-30%).
[2] See Alan Wernick, Biometric Information – Permanent Personally Identifiable Information Risk, American Bar Association (Feb. 19, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_8/.
[3] See Karen D. Schwartz, How Biometric Technology is Changing Businesses’ Security, ITPro Today (July 27, 2021), https://www.itprotoday.com/identity-management-and-access-control/how-biometrics-technology-changing-businesses-security.
[4] See id.
[5] See Liz Strikwerda, How Do Biometric Time Clocks Reduce Payroll Costs? [4 Simple Ways to Cut Overhead Without Layoffs], WorkforceHub (March 11, 2021), https://www.workforcehub.com/blog/how-do-biometric-time-clocks-reduce-payroll-costs-4-simple-ways-to-cut-overhead-without-layoffs/.
[6] See KPMG, supra note 1 (finding that 38% of companies have increased their investment in biometrics by 20-30%).
[7] See Jake Holland, As Biometric Lawsuits Pile Up, Companies Eye Adoption with Care, Bloomberg Law (Feb. 9, 2022, 5:00 AM), https://www.bloomberglaw.com/bloomberglawnews/privacy-and-data-security/XE3UUDNG000000?bwid=0000017e-d4e8-de63-a7ff-fde92af10000&cti=LSCH&emc=bblnw_nl%3A1&et=NEWSLETTER&isAlert=false&item=body-link&qid=7244575®ion=text-section&source=newsletter&uc=1320006233&udvType=Alert&usertype=External.
[8] 740 Ill. Comp. Stat. Ann. 14/15 (2008); Wash. Rev. Code §19.375 (2017); Tex. Bus & Com. Code Ann. §503.001 (West 2009).
[9] Jonathan Herpy, Staying in Compliance with Biometric Privacy Law as a Business, Forbes (Apr. 5, 2021, 9:00 AM), https://www.forbes.com/sites/forbesbusinesscouncil/2021/04/05/staying-in-compliance-with-biometric-privacy-laws-as-a-business/?sh=618946403123; Tagvoryan et. al., supra note 8; Updates on Biometrics in the Workplace: Scanning the Legal Landscape in New York and Beyond, Epstein Becker Green (Aug. 19, 2021), https://www.ebglaw.com/insights/updates-on-biometrics-in-the-workplace-scanning-the-legal-landscape-in-new-york-and-beyond/#:~:text=In%20addition%2C%20the%20Washington%20law,the%20retention%20of%20such%20data (hereinafter Biometrics in the Workplace).
[10] Herpy, supra note 9; Tavgoryan et. al., supra note 8; Biometrics in the Workplace, supra note 9 (noting that the Washington statute allows “disclosure related to certain financial transactions or other products or services authorized, subscribed to, or requested by the individual.”); see also William Blesch, Compliantly Using Biometric Data in Washington, TermsFeed (March 22, 2021), https://www.termsfeed.com/blog/biometric-data-washington/.
[11] Schwartz, supra note 3.
[12] See Wernick, supra note 2.
[13] See Tagvoryan et. al., supra note 8; Quinn Emanuel Urquhart & Sullivan, LLP, Avoiding Liability Under the Illinois Biometric Information Privacy Act, JD Supra (Nov. 19, 2021), https://www.jdsupra.com/legalnews/avoiding-liability-under-the-illinois-2065724/.
[14] Tagvoryan et. al., supra note 8; Quinn Emanuel Urquhart & Sullivan, LLP, supra note 13.
[15] Quinn Emanuel Urquhart & Sullivan, LLP, supra note 13.
[16] Id.
[17] See Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1206 (Ill. 2019).
[18] Id.
[19] Tagvoryan et. al., supra note 8.
[20] Quinn Emanuel Urquhart & Sullivan, LLP, supra note 13.
[21] Id.; Tagvoryan et. al., supra note 8.
[22] Mike Isaac., Facebook Renames Itself Meta, The New York Times (Oct. 28, 2021), https://www.nytimes.com/2021/10/28/technology/facebook-meta-name-change.html.
[23] Quinn Emanuel Urquhart & Sullivan, LLP, supra note 13 (noting that Facebook settled for $650 million and Tik Tok settled for $92 million).
[24] See Holland, supra note 7 (“Kentucky, Maine, Maryland, Massachusetts, New York, and West Virginia are weighing bills similar to BIPA.”).
[25] Herpy, supra note 8.