Biometric Privacy in 2020: The Current Legal Landscape
This is the first article in a three-part series examining significant legal developments in the area of biometric privacy from 2019, as well as what lies ahead for companies in 2020. Part one provides an overview of biometric data and an analysis of the most significant developments of 2019 and the current legal landscape. Part two will discuss what companies can expect to see in this area of law over the next year. Part three will provide tips and strategies for building flexible, adaptable biometric privacy compliance programs that can position companies to satisfy current and future compliance obligations.
2019 saw numerous developments in biometric privacy, the most notable being the Illinois Supreme Court’s opinion in Rosenbach v. Six Flags Entertainment Corp.,[1] in which Illinois’ highest court held that plaintiffs can pursue Illinois Biometric Information Privacy Act claims even in the absence of any actual harm. And because BIPA applies to any company using, collecting or storing biometric information in Illinois — or that has customers who access the company’s goods/services in Illinois — the impact will be felt nationwide.
In 2020, it is anticipated that companies will continue to see a flurry of BIPA litigation. At the same time, it is highly likely new biometric privacy legislation modeled after BIPA will become law in 2020 — further complicating companies’ compliance burdens in connection with the commercial use of biometric technologies.
As we head into 2020, it is important to have a clear understanding of the key biometric privacy developments from 2019, as well as the current legal landscape. In this way, businesses can both comply with already-enacted laws while positioning themselves to respond to the rapidly evolving legal landscape of biometric privacy over the course of the next year.
Overview of Biometric Data
Biometric data generally encompasses unique, recognizable and verifiable human biological or behavioral characteristics — including fingerprints, voiceprints and scans of hand or face geometry — that are used primarily for identification and authentication purposes. Finger and facial biometric recognition have become so commonplace many people do not think twice before using biometrics to login to their smartphone or authenticate a credit card transaction.
Biometric data is also used in a variety of other ways in commercial settings, such as for verifying passenger identities, more efficient boarding at airports, tracking employee time and attendance, and authenticating users’ identities for increased computer and mobile device login security.
Importantly, while biometric technologies have brought about a wide range of benefits, this burgeoning form of technology also carries significant privacy risks. The theft of biometric data can be more problematic than the theft of other types of personal identifiable information because biometric data cannot be changed by an individual from whom it has been improperly obtained and, once compromised, that biometric data has forever lost its ability to be sued as a secure identifying mechanism.
Illinois Supreme Court Opens Floodgates to BIPA Class Litigation with Rosenbach Ruling
By far the most significant development of 2019 was the Illinois Supreme Court’s game-changing decision in Rosenbach, which resulted in a significant expansion of the scope of Illinois’ biometric privacy statute. In that case, Illinois’ highest court held plaintiffs may pursue BIPA claims for mere technical violations of the statute — even where no actual harm/damage is sustained.
Rosenbach is noteworthy in that it eliminated the essential requirement of demonstrating actual injury/harm to pursue legal recourse for alleged BIPA violations. The ruling triggered an immediate uptick in the number of BIPA lawsuits in 2019, which will continue into 2020 as more plaintiffs seek to pursue claims based exclusively on technical statutory violations.
Importantly, Rosenbach exposes companies to significant potential liability for technical failures to fully comply with BIPA, as prevailing parties are entitled to $1,000 per negligent violation and $5,000 per willful violation (or actual damages, whichever is greater) as well as attorney fees. Although BIPA’s statutory damages figures may seem small, a class of just ten thousand consumers under BIPA could subject a company to $10 million in potential exposure.
Together, the combination of potentially sky-high damages awards and the Rosenbach ruling has paved the way for a new wave of extremely costly litigation and a proliferation of BIPA class lawsuits that will continue to flood courts for the foreseeable future.
Ninth Circuit’s Patel Further Increases Scope of Liability in BIPA Litigation
Building upon Rosenbach, the U.S. Court of Appeals for the Ninth Circuit in Patel v. Facebook Inc.,[2] further expanded plaintiffs’ ability to pursue BIPA claims for mere technical violations of Illinois’ biometric privacy statute when it held any BIPA violation amounts to a violation of plaintiffs’ substantive privacy rights and, as such, constitutes a cognizable concrete injury-in-fact for purposes of Article III standing.
Beyond the ruling on standing, the court also upheld the certification of a class of Illinois Facebook users, finding Facebook’s extraterritoriality and “runaway damages” arguments insufficient.
Patel is also a critical development for biometric privacy, as the Ninth Circuit’s opinion represents the first federal appellate decision to hold a mere technical BIPA violation injures an individual’s concrete right to privacy. Combined with Rosenbach, Patel further incentivized plaintiffs to pursue class lawsuits for purportedly technical BIPA violations now that the hurdle of Article III standing has seemingly been lowered.
Moreover, Patel’s rejection of Facebook’s extraterritoriality/runaway damages arguments makes it easier for plaintiffs to succeed in certifying large classes, further exposing companies to significant potential liability.
Most recently, on Jan. 21, the U.S. Supreme Court denied Facebook’s petition for certiorari — thus leaving in place the Ninth Circuit’s opinion and moving the case toward trial.
A New Hope: Illinois District Court’s Ruling in Rivera
There is still some hope for defendants embroiled in BIPA litigation, as not all courts have agreed plaintiffs can satisfy Article III standing without real-world harm. Indeed, the U.S. District Court for the Northern District of Illinois in Rivera v. Google Inc.,[3] recently dismissed a BIPA suit against Google pertaining to its photo app technology based on an absence of any concrete injury suffered by the plaintiffs sufficient to confer Article III standing.
The district court’s decision was then appealed to the U.S. Court of Appeals for the Seventh Circuit and remains pending.
Rivera demonstrates the existence of differing interpretations related to Article III standing and shows companies defending lawsuits alleging mere procedural/technical BIPA violations may still be able to defeat these claims by demonstrating a lack of a concrete injury.
States Continue to Amend Breach Notification Statutes to Include Biometric Data
In addition to biometrics statutes like BIPA, state legislatures have sought to modernize privacy laws to address biometric technologies through the amendment of state breach notification laws to expand the definition of personal information to include biometric data.
In 2019, several states amended their breach notification laws to include biometric data, including: Arkansas, California, New York and Washington. Consequently, companies’ breach notification obligations in many states have been extended to cover instances in which biometric data is improperly accessed or acquired.
Of note, in 2019 New York updated its breach notification law with the enactment of its Stop Hacks and Improve Electronic Data Security, or SHIELD, Act which not only adds biometric data to the list of types of personal data that trigger data breach notification obligations, but also expands the scope of covered entities’ breach notification obligations and imposes new data security requirements as well.
Unsuccessful Efforts to Enact New Biometric Privacy Laws — A Sign of Things to Come?
Currently, there are only three active, domestic biometric privacy laws on the books: Illinois’ BIPA, Texas’ Capture or Use of Biometric Identifier Act and Washington’s H.B. 1493. Overall, Illinois’ BIPA — enacted in 2008 — is generally considered the most stringent of all state laws because it is the only biometric privacy law to provide a private right of action.
In addition to the laws currently on the books, several other states introduced bills in 2019 that sought to enact greater regulation over the use of biometric data in a similar fashion to Illinois’ BIPA. And many proposed bills featured a private right of action provision substantially similar, if not identical, to BIPA.
As just two examples, in 2019 New York’s Legislature introduced (for a third time) the New York Biometric Privacy Act — a carbon copy of BIPA. Florida’s Legislature introduced the Florida Biometric Information Privacy Act, which also bore a striking resemblance to Illinois’ biometrics statute.
Municipalities also got into the mix as well, as evidenced by New York City’s introduction of its own proposed biometric privacy law in 2019. While the bill would impose less burdensome requirements on biometric data vis-à-vis BIPA, it would still provide a private right of action identical to Illinois’ biometrics law.
More importantly, the bill also features a unique provision — i.e., that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action” — which would allow plaintiffs to avoid the potential statutory standing hurdles that often serve as roadblocks in similar litigation by explicitly specifying that individuals possess standing to sue for any violations of the law.
While the above bills failed to become law during the 2019 legislative session, lawmakers have signaled their intention to continue to bring these bills to fruition during the 2020 legislative cycle.
Moreover, the aggressive ways in which state and municipal legislative bodies sought to enact their own biometric privacy laws in 2019 illustrate the seriousness with which lawmakers across the nation are considering passing stringent statutory requirements and limitations on the collection and use of biometric data.
So too does this development represent a growing trend across the nation geared toward increased regulation over companies that utilize biometric technologies as part of their business operations.
Failed Attempts by Congress to Implement Uniform, Federal Biometric Privacy Regulation
Finally, 2019 also saw sizable efforts at the federal level to enact a biometric privacy law that would apply uniformly across all 50 states. Congress introduced the Consumer Online Privacy Rights Act, which would impose special consent requirements before collecting any biometric data.
Similarly, Congress also introduced the Commercial Facial Recognition Privacy Act of 2019, which would bar certain companies from utilizing facial recognition technology to identify or track individuals without first obtaining their consent. In addition, during Senate Commerce Committee hearings in late 2019, lawmakers floated the idea of prohibiting the sale of biometric data as part of a more comprehensive federal consumer privacy law.
Ultimately, while it is clear that biometric privacy is a priority for Congress, federal legislators were unable to make any progress in converting their work on biometric privacy legislation into law during the 2019 legislative session.
Conclusion
The past year brought many significant developments in biometric privacy, which, combined, have significantly broadened the scope of exposure faced by corporate entities.
While it remains to be seen how 2020 will pan out regarding new biometric laws over the next year, one thing is certain: 2020 will bring a host of new biometric privacy compliance obligations, hurdles and challenges companies will need to address at the drop of a hat.
Thus, in addition to complying with the laws currently on the books, companies must also ensure they have flexible, scalable biometric privacy compliance programs in place to quickly adapt to the rapidly changing legal landscape of biometric privacy throughout 2020.
“Biometric Privacy in 2020: The Current Legal Landscape,” by Jeffrey N. Rosenthal and David J. Oberly was published in Law360 on February 3, 2020.
[1] Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019).
[2] Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019).
[3] Rivera v. Google, 366 F. Supp. 3d (N.D. Ill. 2018).