The Illinois Biometric Information Privacy Act and the Emerging Biometrics Regulations in the United States

In the United States, there is currently no federal legislation regulating biometric data.  However, several states have already enacted, and some are considering, such regulations.

The Illinois Biometric Privacy Act
The most notable is the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., which provides for a private right of action and already resulted in over 200 class action lawsuits.  Some of these claims were asserted against non-Illinois companies, although whether BIPA applies extraterritorially remains an open question.

BIPA defines “biometric information” as any information “based on an individual’s biometric identifier used to identify an individual.” A “biometric identifier,” in turn, is defined as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Notably, this definition is narrower than the GDPR’s definition of biometrics as “personal data resulting from specific technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See GDPR Art. 4(14).   For example, it does not include behavioral characteristics such as information pertaining to someone’s habits, actions, or personality.  One example of such behavioral characteristic is a keystroke pattern which is unique and could be used for authentication.

BIPA requires private entities to (1) develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric information, (2) inform data subject that biometric data is collected and stored; (3) inform data subject of the specific purpose and length of term for which biometric information is collected, stored, and used; (4) obtain written consent from data subject before collecting biometric information; and (5) use a reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.

Furthermore, private entities may not disclose biometric information unless they obtain data subject’s consent or the disclosure is required for certain enumerated purposes, such as to complete a financial transaction or to comply with a subpoena.  Finally, BIPA prohibits private entities from selling, leasing, trading, or otherwise profiting from biometric information.

Importantly, BIPA also provides for a private right of action which entitles successful plaintiffs to recover (1) $1,000 or actual damages, whichever is greater, for negligent violations, or (2) $5,000 or actual damages, whichever is greater, for intentional or reckless violations.

In the last two years, over 200 class actions were filed in state and federal courts for alleged violations of individuals’ biometric privacy rights under BIPA.   The increase in litigation was instigated by the recent Illinois Supreme Court’s decision which held that a failure to comply with the BIPA requirements subjects companies to statutory damages even if plaintiff cannot show actual harm, such as monetary loss.  See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186.  Similarly, at least two circuit courts of appeals concluded that plaintiffs may sue in federal court for purely technical BIPA violations, such as failure to provide written disclosures or obtain written releases.  See Bryant v. Compass Group, USA, Inc., No. 20-1443 (7th Cir., May 5, 2020); Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019).

Texas Biometrics Privacy Law
Following in the footsteps of Illinois, Texas  in 2009 enacted its version of the biometric privacy legislation, Tex. Bus. & Com. Code § 503.001. The Texas law requires businesses collecting biometric information for commercial purposes to inform individuals before capturing biometric identifiers (which are defined to include retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry) and to obtain their consent.  The law also limits the sale and disclosure of biometric information, and requires companies to use reasonable care to store, transmit, and protect biometrics from disclosure, as well as to destroy the data not later than one year after the purpose of collecting the identifier has expired.  Unlike BIPA, however, Texas biometrics law does not provide for a private right of action.

Washington Biometrics Privacy Law
In 2017, Washington became the third state to enact legislation regulating the commercial use of biometric identifiers.  The Washington statute, Wash. Rev. Code 19.375, prohibits companies from enrolling a biometric identifier in a database for a commercial purpose without giving  notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.  The statute also limits the sale and disclosure of biometric identifiers and requires companies to use reasonable care to guard against unauthorized access to and acquisition of biometric identifiers and regulates retention of biometric information.   The law might be enforced solely by the Texas Attorney General.

New York SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect in March of 2020, requires businesses that license or own private information of New York State residents, to have “reasonable safeguards” to protect the security, confidentiality, and integrity of that sensitive data, including its disposal.  “Private information” under the SHIELD Act includes biometric information.  To comply with this regulation, companies that own or license New York residents’ biometric data would need to implement a data security program which includes certain administrative, technical, and organizational safeguards to protect the data from unauthorized access or acquisition.

In addition, a number of other states, including Florida, Massachusetts, Michigan, and South Carolina, have recently considered their own versions of biometric privacy regulations, some modeled on BIPA.  The states are also increasingly including biometric data in the definition of “personal information” in their breach notification laws, thus requiring companies to notify regulators, and in some cases consumers, in the event of a biometric data breach.  The organizations need to be aware of these developments and the corresponding regulatory requirements in their jurisdictions.

Proposed National Biometric Information Privacy Act of 2020
On August 4, 2020, Oregon Senator Jeff Merkley and Vermont Senator Bernie Sanders introduced a federal biometrics bill, National Biometric Information Privacy Act of 2020 (Act).  The bill is modeled largely on the BIPA but also includes provisions borrowed from the California Consumer Privacy Act (CCPA).

The Act would apply to “private entities,” which include individuals and businesses that collect and process biometric information.  “Biometric identifiers” under the Act are defined more broadly than in BIPA and include a retina or iris scan, a voiceprint, a faceprint, fingerprints or palm prints, and any other uniquely identifying information based on the characteristics of an individual gait or other immutable characteristic of an individual.

Under the Act, private entities in possession of biometric information would be required to develop a public written policy that establishes a retention schedule and guidelines for permanently destroying biometric information in their possession.  Private entities would be required to destroy biometric data once the initial purpose for collecting or obtaining data has been satisfied, and in any case within 1 year of the individual’s last intentional interaction with the entity.

In order to collect, capture, purchase, receive through trade, or otherwise obtain biometric data, private entities would need to (1) obtain biometric data to provide a service for an individual or another identified valid business purpose; (2) disclose to the person that biometric data is being collected or stored and the specific purpose and length of term for which data is being collected, stored, and used; and (3) obtain a written release of the biometric data subject.  Notably, a written release may not be combined with any employment contract.  Thus, presumably, employers would not be able to condition employment on the employees’ consent to collection of their biometric information.

The Act would prohibit selling biometric data for profit and would allow its disclosure only when (1) data subject provides a written release for such disclosure; (2) necessary to complete a financial transaction requested or authorized by the data subject; or (3) disclosure is required by law or by a valid warrant or subpoena.  Private entities would be required to use reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.  Businesses that collect, use, share, or sell biometric data would be required, upon request of an individual, to disclose such information free of charge.

The proposed Act not only provides for a private right of action but explicitly states that a violation of its provisions on collection, retention, disclosure, and destruction of biometric information constitutes “an injury-in-fact and a harm to any affected individual.”  Effectively, this provision codifies the emerging federal case law on standing in the BIPA cases discussed above.  In case of a negligent violation of the Act, plaintiffs would be able to recover the greater of $1,000 per violation or actual damages.  In case of an intentional or reckless violation, plaintiffs would be able to recover actual damages and punitive damages of up to $5,000 per violation.

As the use of biometrics is increasingly regulated, organizations that collect, use, and share biometric data must make sure that it is incorporated into their privacy and data security frameworks and should develop and enhance the protections and controls they offer to their data subjects.  A failure to comply with the emerging regulatory requirements, as well as security failures leading to unauthorized access and disclosure of biometric data might subject companies to substantial penalties and costly litigation.

Would you like to know more about regulation of biometric information? Check out Clarip’s whitepaper What Your Company Needs to Know About Regulation of Biometric Data and follow our daily Privacy Blog!