Article

Biometric Privacy in 2020: How Companies Can Comply

This is the third article in a three-part series examining significant developments in the area of biometric privacy in 2019, as well as what lies ahead for companies in 2020. Part one provided an overview of biometric data and an analysis of the most significant developments of 2019 and the current legal landscape. Part two discussed what companies can expect to see in this area of law over the next year. Part three provides tips and strategies for building flexible, adaptable biometric privacy compliance programs that can position companies to satisfy current and future compliance obligations.

2019 significantly altered the legal landscape of biometric privacy. Companies can expect to see more of the same in 2020 — especially as it relates to a continued influx of high-profile Illinois Biometric Information Privacy Act class action litigation, as well as the enactment of additional biometric privacy laws modeled heavily after Illinois’ statute.

Companies that incorporate biometric data into their business practices should strategically enhance their existing compliance programs to ensure compliance with current biometrics laws while also building the flexibility needed to allow them to quickly adapt to the many new wrinkles in biometric privacy that will inevitably be added to the mix in 2020.

Biometric Data Privacy Policy

As a starting point, companies utilizing biometric data should ensure transparency as to how they collect, use, store, share and dispose of this type of data by implementing a detailed biometric data privacy policy.

At a minimum, privacy policies should encompass the following issues:

1. Notice that biometric data is being collected and/or stored;
2. The current and reasonably foreseeable purposes for which the company utilizes biometric data;
3. How biometric data will be used;
4. A description of the protective measures used to safeguard biometric data; and
5. The company’s biometric data retention and destruction policies and practices.

These policies should also strictly prohibit the disclosure of any individual’s biometric data without his or her consent and should ban the company and its employees from selling or otherwise profiting from any such data.

Biometric data privacy policies should be made publicly available, which, at a minimum, should entail inclusion in the entity’s broader online privacy policy. Companies should also update their policies whenever any material modifications are made to their biometric data management practices.

Written Notice

Second, to further support the principle of transparency, companies should provide conspicuous, advance notice of the use of biometric data before any such data is captured, used or stored. In so doing, companies should offer consumers meaningful notice regarding how biometric data will be used, shared and stored.

At a minimum, all written biometric data notices must contain language informing individuals that:

1. Biometric data is being collected and stored;
2. The specific purpose for collecting and using biometric data;
3. The length of time for which the data is being collected, stored and used;
4. The company’s schedule and procedure for permanently disposing of biometric data;
5. Any protective measures utilized to safeguard biometric data; and
6. That biometric data may be shared with service providers or third parties.

Where appropriate, or required by law, contextual and just-in-time notices may be necessary.

While no consensus exists as to what is sufficient to satisfy the notice requirement of today’s biometric privacy laws, at a minimum, companies should include their biometric privacy notice in their online privacy policy. In addition, where applicable, companies should provide individualized written notice to all individuals before their biometric data is captured as well.

Written Consent/Release

Third, it is also imperative that companies obtain signed, written consent — in the form of a written release — from all individuals authorizing the company to collect, use and store their biometric data before any biometric data is captured or used for any purpose.

In signing the written consent, the individual should acknowledge he/she has read the company’s general biometric data policy as well as the more specific, written notice that has been provided regarding its collection and use of biometric data.

This consent/release should also make clear the individual consents to those policies and guidelines, as well as to the collection and use of his or her biometrics, including the company’s ability to share their biometrics with any service providers or third-party vendors.

Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so they can affirmatively demonstrate their compliance. Importantly, obtaining a written release prior to the collection of any biometric data can serve as a robust defense to a claim an individual lacked adequate biometric data-related notice or did not provide consent to the use of biometric data by the company.

Data Security Measures

Fourth, companies must ensure they implement effective data security safeguards to protect all biometric data that is captured, used and stored by the company from improper disclosure, access or acquisition.

Companies should ensure they safeguard biometric data: (1) using the reasonable standard of care applicable to their given industry; and (2) in a manner that is the same or more protective than that in which the company stores, transmits and protects other forms of sensitive personal information.

Companies should also periodically assess their biometric data security measures and complete any updates/modifications to their security programs to address and neutralize any new or evolving threats and vulnerabilities.

In terms of data security measures themselves, all biometric data should be stored separately from other personal information such as names, birthdates and account numbers. All stored biometric data should also be encrypted, both in transit and while at rest.

And companies should also establish and implement appropriate retention and disposal practices. Finally, companies must ensure their biometric data is hosted and managed by a reputable, trusted third party with the requisite experience, expertise and security controls to effectively store and safeguard this especially sensitive type of data.

Vendor Management

Lastly, companies that utilize third-party vendors for the collection, use or storage of biometric data should update their vendor contracts to take into consideration the key issues raised by biometric privacy laws.

These contracts should include specific language that vendors will comply with all applicable laws; will not disclose any biometric data without written consent; will not sell or otherwise profit off biometric data (other than through the purpose for which the company is utilizing the vendor’s services); and will adhere to appropriate data security standards.

In addition, companies should also specify through contractual language that they retain the right to request information pertaining to the vendor’s data security practices, as well as the right to conduct third-party audits to ensure compliance with biometric privacy laws.

Conclusion

2019 saw an explosion of bet-the-company BIPA class action litigation, including numerous high-profile suits targeting the biometrics practices of some of the world’s largest tech giants.

And 2019 marked the beginning of a concerted though unsuccessful effort by state and municipal legislators to enact their own biometric privacy laws modeled heavily after BIPA. Combined, companies should anticipate facing even higher compliance burdens and potential liability exposure risk in 2020.

Accordingly, now is the time to put in place flexible, adaptable biometric privacy compliance programs that will enable businesses to not just satisfy their current legal obligations, but also adeptly respond to the ever-changing legal landscape of biometric privacy laws.

“Biometric Privacy in 2020: How Companies Can Comply,” by Jeffrey N. Rosenthal and David J. Oberly was published in Law360 on February 5, 2020.