DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


US Biometric Privacy Litigation Takes the Forefront

united states biometric litigation

Illinois Reforms Biometric Information Privacy Act (BIPA)

On August 2, 2024, Illinois Governor J.B. Pritzker signed Senate Bill 2979 into law, marking a significant reform to the Biometric Information Privacy Act (BIPA). The reform, effective immediately, addresses concerns over excessive damage claims under BIPA by changing how violations are assessed. Previously, each instance of biometric data collection without consent could result in separate claims, leading to substantial financial liabilities for companies. The new amendment specifies that repeated collection of the same biometric identifier from an individual constitutes only a single violation, significantly limiting potential damages.

This reform comes in response to the Illinois Supreme Court’s decision in Cothron v. White Castle System, Inc., which allowed plaintiffs to claim damages for each instance of biometric data collection without consent. This decision had raised concerns about the excessive financial burdens on businesses.

The reform also introduces the use of electronic signatures to obtain consent for biometric data collection, making compliance easier for businesses.

Illinois was a pioneer in biometric privacy law with the original BIPA in 2008, which set stringent rules for biometric data use, including the requirement for informed consent and the right for individuals to sue for violations.

Recent Biometric Privacy Developments in the U.S.

Overview of Biometric Privacy Laws

Biometric privacy laws across the U.S. share common elements:

  • Definition of Biometric Identifiers: Laws typically define biometric identifiers to include retina or iris scans, fingerprints, voiceprints, and records of hand or face geometry. This clear definition ensures comprehensive protection of biometric data.
  • Informed Consent Requirement: Before collecting biometric data, entities must provide clear notice and obtain consent from individuals. This fosters transparency and trust.
  • Data Protection Standards: Entities collecting biometric data must use reasonable care to store, transmit, and protect this information, ensuring measures are at least as stringent as those used for other sensitive data.
  • Disclosure and Retention Limits: Laws restrict the disclosure of biometric data to third parties unless consent is given, required by law, or for law enforcement purposes. Entities must also destroy biometric data within a reasonable timeframe, typically no later than one year after the data’s intended use is fulfilled.
  • Penalties for Violations: Individuals whose biometric data privacy rights are violated can sue the offending entity. Laws allow for the recovery of damages, including attorney’s fees and court costs, providing a strong deterrent against non-compliance.

Texas’ Biometric Privacy Legislation

Texas has been proactive in addressing biometric concerns, establishing comprehensive legislation and pursuing companies that may have infringed upon residents’ rights.

  • Texas Business and Commerce Code, Section 503.001: This section has established baseline protections for biometric data.
  • Texas Data Privacy and Security Act (TDPSA): This broader act underscores Texas’s commitment to enhancing privacy protections across all types of personal data, including biometric information.

Meta’s $1.4 Billion Settlement with Texas

In a recent development, Meta agreed to a $1.4 billion settlement with Texas over allegations of using biometric data without user consent. This settlement, announced by Texas Attorney General Ken Paxton, is the largest secured by a single state.
“This historic settlement demonstrates our commitment to standing up to the world’s biggest technology companies and holding them accountable for breaking the law and violating Texans’ privacy rights,” Paxton said.

Meta stated, “We are pleased to resolve this matter and look forward to exploring future opportunities to deepen our business investments in Texas, including potentially developing data centers.”

The lawsuit, filed in 2022, alleged Meta violated state law by capturing or selling residents’ biometric information without consent. Despite the settlement, the $1.4 billion is unlikely to significantly impact Meta’s business.

Texas’ Continued Legal Battle with Google

Texas remains steadfast in its legal battle against Google, accusing the tech giant of unlawfully collecting biometric data without proper consent. The state claims Google violated laws by capturing biometric data through products such as Google Photos, Google Assistant, and Nest Hub Max.

Google has vowed to fight the lawsuit, with spokesperson Jose Castaneda arguing that the lawsuit misrepresents their products. In a recent development, a Texas state judge denied Google’s request to depose Texas officials, marking a new milestone in the ongoing case.

Washington’s Biometric Privacy Act (WBPA)

Washington state also has stringent regulations on biometric data through the Washington Biometric Privacy Act (WBPA), passed in 2017. The WBPA closely mirrors the stringent regulations of Illinois’ BIPA. Notable cases under WBPA include:

  • Rainier Arms LLC v. Tony Wall (2020): This pivotal case involved a dispute over the unauthorized use of facial recognition technology, leading to a settlement and Rainier Arms agreed to enhance its data practices and compensate Wall, highlighting the necessity for businesses to obtain explicit consent and adhere to privacy regulations when using biometric technologies.
  • State of Washington v. RealNetworks Inc. (2020): The state sued RealNetworks for unlawfully collecting and storing facial recognition data without consent. The lawsuit contended that RealNetworks, a company specializing in software and digital media services, had unlawfully collected and stored biometric data, specifically facial recognition data, from individuals without obtaining their explicit consent.
  • Sandoz v. Microsoft Corporation (2022): This class action lawsuit accused Microsoft of infringing on the WBPA through its use of facial recognition technology without explicit consent.
  • Alvarez v. Smartsheet Inc. (2023): The lawsuit claimed Smartsheet collected and used biometric data without providing required notice or obtaining consent. The plaintiffs claimed that Smartsheet collected and utilized biometric information, such as facial recognition or fingerprint data, without providing the required notice or obtaining explicit consent from the employees.

Other Noteworthy Biometric Cases

In states without specific biometric data protection laws, existing laws are used to pursue companies:

  • Patel v. Facebook: This class-action lawsuit involved Facebook’s use of facial recognition technology and alleged that the company violated the Illinois Biometric Information Privacy Act (BIPA) by collecting and storing users’ biometric data without proper consent. The case was significant in establishing the legal precedent for biometric privacy under BIPA and resulted in a notable settlement.
  • Ely v. Facebook: Alleged violations of Maryland’s privacy and consumer protection laws by Facebook. The plaintiffs alleged that Facebook violated Maryland’s privacy and consumer protection laws by collecting and storing users’ biometric data without proper consent. Although Maryland lacks a specific biometric data privacy law like Illinois’ Biometric Information Privacy Act (BIPA), the lawsuit relied on the Maryland Consumer Protection Act (MCPA) and other broader privacy principles.
  • Rosenberg v. The New York Times Company: Alleged violations of New York’s privacy laws by The New York Times through facial recognition technology. The plaintiffs alleged that The New York Times violated New York’s privacy laws by collecting and using biometric data without proper consent. The lawsuit was primarily based on New York’s General Business Law § 349, which prohibits deceptive business practices. The plaintiffs claimed that The New York Times engaged in deceptive practices by failing to adequately disclose its collection of biometric information through facial recognition technology used on its platform. Additionally, the suit invoked the New York State Labor Law for employees, asserting that the collection of biometric data without informed consent violated their privacy rights.

Conclusion

These developments reflect a growing awareness and regulatory focus on biometric privacy across the United States. With Illinois’s BIPA reform, other states may consider similar adjustments to balance privacy concerns with business interests.

To learn more about US privacy laws, check out
the Clarip US Privacy Law Tracker

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653