Biometric Privacy in 2020: What Companies Can Expect
This is the second article in a three-part series examining significant developments in the area of biometric privacy in 2019, as well as what lies ahead for companies in 2020. Part one provided an overview of biometric data and an analysis of the most significant developments of 2019 and the current legal landscape. Part two discusses what companies can expect to see in this area of law over the next year. Part three will provide tips and strategies for building flexible, adaptable biometric privacy compliance programs that can position companies to satisfy current and future compliance obligations.
2019 was a noteworthy year in the area of biometric privacy, most particularly due to game-changing decisions by the Illinois Supreme Court and U.S. Court of Appeals for the Ninth Circuit pertaining to the Illinois Biometric Information Privacy Act, which greatly expanded the scope of liability facing companies using biometric data as part of their business.
At the same time, many states — and even some municipalities — sought to enact biometric privacy laws of their own mirroring BIPA; if enacted, these laws would undoubtedly increase companies’ compliance burdens and exposure.
Companies can expect more of the same in 2020, with legislatures across the nation continuing to impose greater regulation over the collection and use of biometric data, as well as additional court decisions in biometric class actions that will further define the contours of the law.
So what developments should companies expect to see in biometric privacy in 2020?
BIPA Litigation Will Continue to Flood Courts Following Rosenbach and Patel
BIPA was enacted in 2008 to help regulate the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information. While the law has been in effect for 12 years now, the real turning point of BIPA litigation took place in the beginning of 2019, when the Illinois Supreme Court issued its decision in Rosenbach v. Six Flags Entertainment Corp.
In Rosenbach, Illinois’ highest court significantly altered the playing field when it held plaintiffs may pursue BIPA claims for mere technical violations of the law, even where no actual harm is sustained. Not surprisingly, the decision led to a spike in the number of BIPA filings, which made clear that plaintiffs do not need to allege — let alone establish — actual harm/injury to maintain a cognizable claim under Illinois’ biometric privacy law.
Later in 2019, the Ninth Circuit in Patel v. Facebook Inc. further expanded the scope of companies’ exposure for mere technical failures when it held any violation of BIPA constitutes a cognizable concrete injury-in-fact for purposes of Article III standing. Moreover, Facebook’s petition for certiorari was recently rejected, leaving in place the Ninth Circuit’s ruling and clearing the way for trial.
Rosenbach and Patel opened the floodgates to a new wave of extremely costly litigation, with damages figures that are almost always egregiously disproportionate to the nature and extent of the violation. What makes BIPA especially attractive to plaintiffs’ attorneys is the law’s private right of action provision, which allows for statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.
These statutory damages — which, again, can be recovered for mere technical violations of the law — provide noteworthy incentives for plaintiffs and their attorneys to pursue class actions for alleged BIPA violations, even if those violations had no real-world adverse impact on those pursuing the BIPA claims.
Moving forward, companies should expect to see a continued proliferation of BIPA class actions throughout 2020. At the same time, companies can also expect the legal landscape of BIPA litigation to shift and evolve even further over the course of the next year, as more BIPA rulings further refine the contours of Illinois’ biometric privacy statute.
Other States/Municipalities Will Likely Follow Illinois’ Lead by Enacting BIPA Copycat Laws
BIPA ushered a sea change in terms of how companies collect, use and store biometric data and set the standard for a new era of biometric privacy featuring greatly increased regulation and significant exposure. As further technological advances inject biometric data into more and more areas of our lives, and as data breach incidents to increase in frequency and severity, additional regulation by states and municipalities over the use of biometric technologies is highly likely.
Companies should anticipate the implementation of BIPA copycat laws emulating many of the same privacy principles — including broad statutory damages provisions — built into BIPA. In fact, this trend already started in 2019, with several states and cities seeking, albeit, unsuccessfully, to enact their own biometric privacy statutes — many of which were carbon copies of BIPA. In 2020, companies should expect a continued, concerted effort by lawmakers to pass their own similar legislation regulating the use of biometric technologies, especially in the absence of a uniform federal privacy law.
More States Will Likely Amend Their Breach Notification Laws to Include Biometric Data
Companies should also expect a continuation of the 2019 trend of states' amending their data breach notification laws to expand the definition of personal information to include biometric data. Of note, California’s amendment to its 2019 data breach notification law may accelerate the pace by which remaining states that have yet to add biometric data to their breach notification laws will execute this change over the next year.
Legislatures Will Likely Include Biometric Data Within the Scope of New Consumer Privacy Laws
Companies should also anticipate states will address biometric data in new consumer privacy laws in a fashion akin to what California did with the enactment of its game-changing consumer privacy law, the California Consumer Privacy Act of 2018. The CCPA, which went into effect on Jan. 1, includes biometric data within the types of protected data.
The CCPA also requires covered entities to give notice to consumers about how biometric data is used and provides for a private right of action if biometric data is subject to a data breach and the company failed to have implemented reasonable security measures to safeguard such data.
While the CCPA applies only to California, the stringent obligations placed on businesses handling consumer data have already influenced other states to implement similar legislation, with Nevada enacting its own consumer privacy law modeled after the CCPA in the second half of 2019.
In 2020, companies should expect other states to follow California’s lead in enacting similar consumer privacy laws that — among other things — will address the use of biometric data, which, in turn, will further complicate companies’ compliance burdens.
Congress Will Likely Continue to Push for Federal Biometric Privacy Regulation
At the federal level, Congress’ lack of success in enacting a federal biometric privacy law in 2019 will likely not deter lawmakers from continuing to push for federal biometric privacy regulation in 2020.
Ultimately, biometric regulation at the federal level has the highest likelihood of becoming law as part of a comprehensive consumer privacy regulatory regime — as opposed to a targeted, specific law focused solely on biometric data. Currently, momentum is building to pass a uniform, comprehensive federal consumer privacy law that includes biometric data. But significant differences still exist over what a nationwide privacy law should consider.
A substantial divergence of opinion exists among legislators as to whether a federal privacy law should preempt similar regulation at the state level, or whether states should be permitted to pass more stringent rules if they feel a federal law is too weak.
Legislators are also split on how a federal privacy law should be enforced and, more specifically, whether a federal law should provide consumers with a private right of action to pursue litigation for noncompliance or, alternatively, if enforcement powers should be limited to federal administrative agencies, like the Federal Trade Commission.
As the contours of BIPA continue to be refined and expanded through additional court decisions, and as more states and cities move to implement biometric privacy laws of their own, companies utilizing biometric data will have to address significant compliance hurdles to minimize risk in 2020.
Consequently, companies should not delay in taking proactive measures to update and enhance their biometric privacy compliance programs to ensure their regimes are flexible enough to adapt to, and conform with, the new biometrics laws likely to be added to the privacy landscape in 2020, while at the same time maintaining their current compliance obligations.
“Biometric Privacy in 2020: What Companies Can Expect,” by Jeffrey N. Rosenthal and David J. Oberly was published in Law360 on February 4, 2020.
 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019).
 Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019).