Publications
Article

Biometric Privacy in 2022: What to Expect This Year (Part 2)

Legaltech News

This is the second article in a three-part series analyzing key developments in the area of biometric privacy that took place in 2021, as well as what companies can expect in 2022. Part one took a look back at the major developments of 2021 and the current legal landscape as it exists as we enter 2022. Part two explores what companies can expect in the biometric privacy arena over the next year. And part three offers tips and strategies for companies to maintain compliance with both current and anticipated biometric privacy laws based on lessons learned to date.


2021 brought with it many significant developments in the biometric privacy space, with Illinois Biometric Information Privacy Act (BIPA) class litigation continuing apace, decisions expanding the scope of BIPA liability exposure, new laws imposing greater requirements and restrictions over the collection and use of biometric data, and additional (albeit unsuccessful) efforts by other legislatures to exert greater control over the commercial use of biometrics.

Looking ahead, companies can expect more of the same in 2022, with legislatures across the country continuing to enact new laws to provide tighter regulation over biometric technologies, as well as additional BIPA decisions that will further define the contours of Illinois’ biometric privacy law.

With that said, 2022 will likely diverge from 2021 in at least one significant respect: with the Federal Trade Commission (FTC) taking a much more active role in holding companies accountable for the misuse of facial recognition software.

So what developments in particular should companies expect to see in biometric privacy in 2022?

BIPA Litigation Will Continue to Inundate the Courts, While Liability Exposure Continues to Increase

First and foremost, companies should anticipate that BIPA litigation will continue to flood the courts in 2022 at a similar—if not increased—pace as compared to 2021.

At the same time, appellate courts are set to issue several decisions in 2022 that will provide clarity on a number of key, unsettled BIPA issues, but which may also expand the scope of BIPA liability exposure even further in the process.

As discussed in Part 1, the 2021 decision in Tims v. Black Horse Carriers, Inc. resolved some of the uncertainty regarding the applicable limitations periods for BIPA claims—ruling that BIPA’s two most commonly-asserted provisions, Sections 15(a) and (b), are both subject to a five-year limitations period.

While Tims offers some level of clarity on the statute of limitations question, it will not be final word on this matter, as a second appeal also addressing this issue—Marion v. Ring Container Techs., LLC—remains pending at this time. A decision in Marion is expected sometime in the first half of 2022.

In addition, the Illinois Supreme Court will also issue its decision sometime in the next year in McDonald v. Symphony Bronzeville, which is poised to provide litigants with a definitive answer on whether BIPA claims are preempted by the Illinois Workers’ Compensation Act (IWCA). To date, all courts that have considered the issue have found the IWCA inapplicable in the context of BIPA. It is likely that Illinois’ high court will come to the same conclusion, completely eliminating IWCA preemption as a defense to BIPA claims.

Finally, and perhaps most importantly, the Illinois Supreme Court is slated to issue its ruling in Cothron v. White Castle System, Inc., which will resolve the uncertainty as to whether conduct resulting in repeated BIPA violations gives rise only to a single claim accruing at the time of the first violation or, alternatively, whether such conduct constitutes separate and independent claims that accrue for each instance of non-compliance. While the Seventh Circuit Court of Appeals had the opportunity to do so at the end of 2021, it punted on answering the question and instead certified the question to the Illinois Supreme Court to provide definitive guidance.

The Cothron appeal could have a seismic impact on BIPA liability depending upon which side the court comes down on; if it adopts the more expansive view of accrual, the value of BIPA class actions will rise even further and, in turn, drive up the frequency of filings to levels far surpassing anything seen to date.

Facial Recognition Will Remain a Popular Target for BIPA Class Action Suits

Facial recognition leapfrogged fingerprint biometrics as the most popular target for BIPA class action suits in 2021, with many forces fueling this shift in focus. For one, facial recognition has long been the target of unflattering media coverage stemming from undisclosed and potentially improper uses of the technology.

At the same time, facial recognition is now being increasingly adopted in place of fingerprint biometrics systems, which is due largely to the health advantages offered by the contactless nature of facial biometrics.

As businesses place even greater reliance on facial recognition software in 2022 and its use becomes even more widespread, companies will inevitably see an even greater focus on facial biometrics as the primary target of the plaintiff’s bar for BIPA suits in the coming year.

New Wave of State- and Municipal-Level Biometric Privacy Laws

As federal lawmakers continue to drag their feet on enacting a nationwide, uniform biometric privacy regulatory regime, companies should anticipate a continuation of the 2021 trend of new biometrics regulation enacted at the state and municipal levels.

In particular, the success seen by Baltimore, Portland, and New York City lawmakers in 2021 in enacting strict regulation over the commercial use of biometric technologies is likely to encourage lawmakers in other cities and states to follow suit with tighter controls placed over the collection and use of biometric data in other parts of the country.

In addition, and perhaps more importantly, companies should also expect a continuation of the 2021 trend of lawmakers transitioning away from administrative enforcement (i.e., placing enforcement in the hands of state attorneys general or their municipal equivalents) and toward private rights of action as the main enforcement mechanism for new biometrics laws, which will expose businesses to significant class action litigation risks.

Lastly, in 2021 both Virginia and Colorado enacted comprehensive consumer privacy laws closely resembling the California Consumer Privacy Act of 2018 (CCPA). At the same time, South Carolina introduced (but failed to enact) its Biometric Data Privacy Act (BDPA), which was the first-of-its-kind “hybrid” biometric privacy law incorporating requirements and limitations ordinarily only included in broader consumer privacy statutes.

In 2022, it is likely that more proposed legislation will follow this hybrid approach involving the integration of a mix of traditional biometric and consumer privacy compliance requirements. If enacted, legislation similar to the BDPA would significantly increase compliance burdens for all entities that utilize biometric data in their operations.

Increased Policing of Facial Biometrics by the Federal Trade Commission

As discussed in Part 1, the FTC has made clear that policing the use of facial recognition will remain a top priority for the Commission in 2022 and beyond. Companies should expect the FTC to make good on its promise by aggressively pursuing entities that use facial recognition in an allegedly improper manner—not only with enforcement actions, but also by requiring violators to relinquish both the data derived from the improper use of facial biometrics, as well as the benefits—like facial template algorithms—generated from that data.

Going forward, companies will not only have to ensure compliance with the ever-extending patchwork of state- and municipal-level laws governing the use of facial biometrics, but must also adequately mitigate the sharply increased risk presented by greater FTC scrutiny over the commercial use of facial recognition as well.

Conclusion

It is only a matter of time before biometric privacy laws are the norm—not the exception—across the country. Companies can get ahead of the compliance curve by taking a proactive approach and building out comprehensive, flexible biometric privacy compliance programs—even if they are not currently subject to any biometrics regulation at this time.

Importantly, developing a tailored, comprehensive biometric privacy compliance program can ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well—allowing companies to always stay a step ahead of today’s constantly-evolving biometric privacy legal landscape.

“Biometric Privacy in 2022: What to Expect This Year (Part 2),” by David J. Oberly was published in Legaltech News on January 11, 2022.