Biometric Privacy in 2022: The Current Legal Landscape (Part 1)
This is the first article in a three-part series analyzing key developments in the area of biometric privacy that took place in 2021, as well as what companies can expect in 2022. Part one takes a look back at the major developments of 2021 and the current legal landscape as it exists as we enter 2022. Part two explores what companies can expect in the biometric privacy arena over the next year. And part three offers tips and strategies for companies to maintain compliance with both current and anticipated biometric privacy laws based on lessons learned to date.
2021 was another important year for biometric privacy. Illinois Biometric Information Privacy Act (BIPA) class action litigation filings continued their torrid pace of years past, as liability exposure risks continued to expand.
At the same time, lawmakers added a number of new wrinkles to the biometric privacy legal landscape with the enactment of new biometric privacy laws. Other legislatures unsuccessfully attempted to install biometric privacy regulation of their own, and are likely to continue these pursuits in 2022.
Finally, the Federal Trade Commission (FTC) announced its intent to aggressively police the use of facial biometrics for the foreseeable future, adding another layer of complexity to companies’ compliance obligations in the coming year.
Taken together, these major 2021 developments will make mitigating potential class action liability exposure and remaining compliant with the law a significantly more complex, difficult task for companies that utilize biometrics in their operations as compared to years past.
Illinois Appellate Court Resolves Uncertainty Over Applicable BIPA Statute of Limitations Period (For Now)
In September 2021, an Illinois Appellate Court delivered its much-anticipated decision in Tims v. Black Horse Carriers, Inc., addressing the applicable statute of limitations for causes of action asserted under BIPA.
Tims held that claims brought under Sections 15(a), (b), and (e)—pertaining to the law’s privacy policy/data destruction, notice/consent, and data security requirements—are subject to a five-year statute of limitations. Conversely, claims asserted under Sections 15(c) and (d)—relating to the law’s ban on profiting from biometric data and disclosure limitations—are subject to a one-year limitations period.
Importantly, in finding that BIPA’s two most commonly-asserted provisions, Sections 15(a) and (b), are subject to the longer five-year limitations period, the opinion portends that the tsunami of class action BIPA filings will continue to flood the courts for the foreseeable future.
FTC Announces Its Intent to Prioritize the Policing of Facial Recognition Technology
Taking note of the mounting reliance (and occasional misuse) of facial biometrics, the FTC offered clear notice that it has set its sights on aggressively policing the use of facial recognition for the foreseeable future, significantly raising the liability risks associated with this popular form of biometrics.
In early 2021, the FTC settled its enforcement action relating to the improper facial recognition practices of photo developer Everalbum, Inc. The enforcement action was a watershed event in the area of FTC privacy and security enforcement, as it marked the first time the agency has singled out and specifically targeted the misuse of facial recognition technology.
In announcing the settlement, the FTC provided an unequivocal warning that policing facial recognition technology will be a top priority for the agency moving forward. Shortly thereafter, the FTC’s then-Acting Chair, Rebecca Kelly Slaughter, reiterated the Commission’s newfound focus, promising to “redouble” the agency’s efforts to identify and pursue facial recognition privacy and security violations.
Expansion of Private-Sector Facial Recognition Bans
Facial recognition has been the subject of a steady stream of negative media coverage over the past two years, namely pertaining to potential accuracy and bias problems. To combat these concerns, the city of Portland, Oregon, enacted a sweeping ban prohibiting the use of facial recognition by private companies, which went into effect at the start of 2021.
Until the Portland ordinance, other jurisdictions regulating the use of facial biometrics had limited the scope of their bans to law enforcement and other public agencies. Portland, however, took this regulation a significant step further by applying it to the private sector as well. The ordinance also includes a private right of action permitting the recovery of $1,000 in statutory damages per violation, as well as attorney’s fees in some instances.
In June 2021, Baltimore became the second U.S. jurisdiction to enact an outright private-sector ban on the use of facial biometrics. Significantly, Baltimore took this regulation even further than Portland by imposing criminal penalties for non-compliance.
New Types of Biometrics Regulation Emerge
For the second year in a row, companies saw the introduction of a new type of biometric privacy regulation not seen in prior years. In 2021, this took the form of regulation singling out and targeting specific industries and sectors of the economy.
At the start of the year, New York City Council enacted the nation’s first municipal-level biometric privacy law regulating “commercial establishments”—which encompasses all places of entertainment, retail stores, and food and drink establishments. The ordinance imposes two main compliance requirements: (1) clear and conspicuous signage providing notice of the collection and use of biometric data; and (2) a strict ban on selling, leasing, trading, or otherwise profiting from any transaction involving biometric data.
In May 2021, NYC Council enacted the Tenant Data Privacy Act (TDPA), which regulates owners and landlords of buildings that utilize biometric data and other forms of advanced digital technology as a method of access control. Unlike the narrow scope of the commercial establishments ordinance, the TDPA imposes a range of rigorous compliance requirements and restrictions, including those relating to privacy policies, notice, consent, and data security, as well as limitations on data collection and data retention and a ban on the sale of biometric data.
Of note, both ordinances include a private right of action that allows for the initiation of class litigation and the recovery of statutory damages for non-compliance.
More States Introduce (Unsuccessful) Biometric Privacy Legislation
Other states attempted (albeit unsuccessfully) to enact new biometric privacy laws of their own.
New York lawmakers rang in the new year in 2021 by introducing the New York Biometric Privacy Act (BPA), which sought to impose a carbon copy of Illinois’ stringent BIPA to the Apple State.
Shortly thereafter, Maryland introduced its Biometric Identifiers and Biometric Information Privacy Act, becoming the second state in 2021 to introduce targeted biometric privacy legislation modeled after Illinois’ biometric privacy law.
South Carolina legislators also introduced their own biometric privacy bill, the Biometric Data Privacy Act (BDPA). Significantly, however, instead of following in the footsteps of prior biometrics legislation, the BDPA incorporated only a small portion of the compliance components that are now common in today’s biometric privacy statutes and intertwined those with a number of compliance elements traditionally seen only in broader consumer privacy statutes like the California Consumer Privacy Act of 2018 (CCPA).
All three bills contained a private right of action provision as their main enforcement mechanism—standing in stark contrast to biometric privacy bills introduced in previous legislative cycles, which favored administrative enforcement and civil penalties over class action litigation.
Ultimately, while none of the three bills made their way into law in 2021, these legislative proposals signal lawmakers’ intention to continue their efforts to bring these bills to fruition during the 2022 legislative cycle.
Conclusion
As has been the case in years past, 2021 involved many noteworthy developments in the area of biometric privacy that not only increased the complexity of businesses’ compliance obligations when using biometrics, but also expanded the scope of liability exposure for non-compliance with the ever-increasing patchwork of biometric privacy laws as well.
As we head into 2022, companies can be certain that the coming year will feature the enactment of a number of new biometric privacy statutes and ordinances, as well as greater litigation risks, which together will only make the task of staying compliant with the law while using biometrics even more complex and challenging.
As a result, in addition to ensuring compliance with today’s current body of biometric privacy regulation, companies must also ensure they have in place flexible biometric privacy programs that can be easily modified and expanded to rapidly adapt to many new changes in the area of biometric privacy that are sure to be seen throughout 2022.
“Biometric Privacy in 2022: The Current Legal Landscape (Part 1),” by David J. Oberly was published in Legaltech News on December 21, 2021.
This article was reprinted in New York Law Journal's print edition on December 30, 2021.