The Coming Storm of Biometric Privacy Laws: How to Comply
This is the second article in a two-part series examining the rapid rise of domestic privacy laws and the resulting risk businesses face regarding the collection and use of biometric data. Part one provided an overview of the legal landscape of biometric privacy laws, including the tremendous amount of litigation generated by the Illinois Biometric Information Privacy Act, as well as additional biometric privacy bills recently introduced around the country. Part two provides tips and strategies for corporate entities to comply with today’s new wave of biometric privacy laws to minimize the risk of being targeted for high-exposure, biometric privacy class litigation.
Recently, there has been a significant uptick in bet-the-company class action litigation under the Illinois Biometric Information Privacy Act relating to the use and collection of biometric data — which captures unique, measurable human biological or behavioral characteristics — in the workplace and other commercial settings.
In 2019, the combination of the Illinois Supreme Court’s Rosenbach v. Six Flags Entertainment Corp. decision,[1] and the U.S. Court of Appeals for the Ninth Circuit’s Patel v. Facebook Inc. decision — in which both held BIPA’s private right of action provision does not require plaintiffs to demonstrate an actual injury — opened the floodgates for extremely costly litigation.
Further complicating matters, states and municipalities from coast to coast have followed Illinois’ lead and are seeking to enact similar laws aimed at regulating the collection and use of biometric data. Many contain analogous private right-of-action provisions that would significantly heighten the potential liability faced by businesses for mere technical violations.
Companies — regardless of where they do business — should devote time and effort to creating (or updating) their biometrics practices to ensure compliance with this new wave of biometric privacy laws to mitigate potential liability risk. Fortunately, there are several actionable steps companies can take to minimize the risk of litigation exposure.
Biometric Data Policy
First, companies must create and implement a comprehensive, written company policy regarding the entity’s collection, use, storage and safeguarding of biometric data. At a minimum, this policy should encompass the following issues: notice that biometric data is being collected and/or stored by the company; the company’s purpose for collecting and using biometric data; the types of biometric data that will be collected and used; how the biometric data will be used; and a description of the protective measures that are used to store and safeguard biometric data.
This policy should also establish a written retention schedule and guidelines for permanently destroying biometric data and, more specifically, should specify that data will be destroyed when the initial purpose for collecting or obtaining such data has been satisfied, or within three years of the individual’s last interaction with the company, whichever occurs first.
The policy should also strictly prohibit the disclosure of any individual’s biometric data without his or her consent and should ban the entity and its employees from selling or otherwise profiting from any biometric data. The company’s biometrics policy, including its retention schedule, must be made publicly available, which, at a minimum, should entail including it in the organization’s broader online privacy policy.
Written Notice
Second, companies must also ensure they provide individualized, advance written notice before collecting, using or storing any biometric data.
At a minimum, written biometric data notices must contain language informing individuals that: (1) biometric data is being collected and stored; (2) the specific purpose for collecting and using biometric data; (3) the length of time for which the data is being collected, stored and used; (4) the company’s schedule and procedure for permanently disposing of biometric data; (5) any protective measures utilized to safeguard biometric data; and, where applicable, (6) language that informs the individual their biometric data will be shared with service providers or third-parties.
The notice should also provide a statement that the company will not disclose individuals’ data without their consent; will not sell or otherwise profit from individuals’ biometric data; and will employ security measures that conform with the reasonable standard of care and which are at least as stringent as those measures used to protect other forms of sensitive personal information.
While no established consensus exists as to what is enough to satisfy the notice requirement of today’s biometric privacy laws, at a minimum, companies should include their biometric privacy notice in their online privacy policy. In addition, where applicable, companies should provide individualized written notice to all individuals before their biometric data is captured as well.
Written Consent/Release
Third, it is also imperative that companies obtain signed, written consent — in the form of a written release — from all individuals authorizing the company to collect, use and store their biometric data before any biometric data is captured or used for any purpose.
In signing the written consent, individuals should acknowledge that they have read the company’s general biometric data policy as well as the more specific, written notice that has been provided regarding its collection and use of biometric data. This notice should also make clear that the individual consents to those policies and guidelines, as well as to the collection and use of their biometrics, including the company’s ability to share their biometrics with any service providers or third-party vendors.
Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so it can affirmatively demonstrate its compliance. Importantly, obtaining a written release prior to the collection of any biometric data can serve as a robust defense to any claim that an individual lacked adequate biometric data-related notice.
Security Measures
Fourth, companies must ensure they put effective safeguards in place to protect biometric data from improper access or acquisition. To satisfy this test, companies must ensure they safeguard biometric data: (1) using the reasonable standard of care applicable to the entity’s given industry and (2) in a manner that is the same or more protective than the manner in which the entity stores, transmits and protects other forms of sensitive personal information.
In addition, businesses should formally (and thoroughly) document the security controls implemented to protect biometric data as part of a written information security plan. More specifically, a company’s WISP should include a detailed written record of all the biometrics-specific security controls incorporated into its security program, as well as how those controls are appropriate and tailored to the nature of the specific types of biometric data collected, used, transmitted and stored by the entity.
Importantly, documenting the company’s efforts to implement security measures tailored to the cyber risks associated with the specific biometric data will enable the entity to affirmatively demonstrate its compliance with biometric privacy laws and, more specifically, show it has employed a “reasonable standard of care” in putting in place appropriate, effective defensive cyber mechanisms.
Vendor Contracts
Finally, companies utilizing third-party vendors for the collection, use or storage of biometric data should review and update their vendor contracts to take into consideration the principal issues raised by biometric data laws. Specifically, companies should consider incorporating key contractual terms specific to biometric data, including, most importantly, indemnification provisions, insurance requirements and employee training provisions.
This also includes additional terms mandating that vendors employ reasonable safety controls to properly protect biometric information, delete biometric data when required (or requested by the company) and provide prompt notice in the event of a data breach event.
Conclusion
While Illinois has led the way with its enactment of BIPA, it will certainly not be the last jurisdiction to enact stringent regulation pertaining to biometric data. Many other states and cities have proposed legislation modeled after BIPA; it is only a matter of time before other parts of the country enact their own similar legislation regulating the collection, use and retention of biometric data. This, in turn, will lead to significantly greater regulation in the coming months and years.
Importantly, companies should anticipate that the pace of biometric privacy regulation will accelerate in the near future, as it is likely additional states and cities — and even the federal government—will follow Illinois’ lead. As additional laws continue to be enacted, the liability risk data will steadily increase.
Given the speed at which the legal landscape of biometric privacy law is evolving, companies that incorporate biometric data into their business practices — even those operating in jurisdictions where no biometric laws are currently on the books — should consider taking proactive measures to create/implement biometrics compliance programs encompassing the above principles.
Significantly, an early start toward compliance can make all the difference between achieving full compliance or being on the receiving end of a potentially catastrophic class action suit for purported violations of the biometric data laws.
“The Coming Storm of Biometric Privacy Laws: How to Comply,” by Jeffrey Rosenthal and David Oberly was published in Law360 on November 15, 2019.
[1] Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019).
[2] Patel v. Facebook Inc., No. 18-15982 (9th Cir. Aug. 8, 2019), pet. for rehearing en banc denied, (Oct. 18, 2019).