The Coming Storm of Biometric Privacy Laws: What to Expect
This is the first article in a two-part series examining the rapid rise of domestic privacy laws and the resulting risk businesses face regarding the collection and use of biometric data. Part one provides an overview of the legal landscape of biometric privacy laws, including the tremendous amount of litigation generated by the Illinois Biometric Information Privacy Act, as well as additional biometric privacy bills recently introduced around the country. Part two provides tips and strategies for corporate entities to comply with today’s new wave of biometric privacy laws to minimize the risk of being targeted for high-exposure, biometric privacy class litigation.
Technological advancements continue to unlock new ways for companies to utilize biometric data — which captures unique, measurable human biological or behavioral characteristics — to improve the efficiency and effectiveness of their operations. Today, it is commonplace to use a fingerprint to unlock a smartphone or “punch in” to a digital timeclock.
But while biometric technology has produced a myriad of benefits, use of this cutting-edge technology also carries significant privacy risks. Unlike other forms of mutable personally identifiable information, once compromised, biometric data loses its ability to be used as a secure identifying feature.
To combat this risk and balance privacy concerns, several states have enacted laws focused on regulating the collection and use of biometric data by businesses. Many other states, and even some municipalities, have proposed their own biometric privacy laws which, if enacted, will subject companies to a patchwork of onerous biometric legislation in different parts of the country.
In addition to the Illinois Biometric Information Privacy Act’s well-known private right of action, many of these proposed biometrics laws also feature far-reaching private right of action provisions that would substantially increase the level of regulatory and litigation risk. At this juncture, it is imperative all companies using biometric data make a concerted effort and take actionable steps to ensure compliance with today’s new wave of biometrics laws and to minimize their future liability risk.
Current Legal Landscape
Currently, there are only three active, domestic biometric privacy laws on the books: Illinois’ BIPA, Texas’ Capture or Use of Biometric Identifier Act and Washington’s H.B. 1493.
Of those laws, only BIPA provides a private right of action for any person “aggrieved” by a violation thereof, and permits recovery of statutory damages of $1,000 per negligent violation or $5,000 if the violation is deemed intentional or reckless. These allowable statutory damages, combined with the ability to recover attorney fees, provide noteworthy incentives for plaintiffs attorneys to pursue class action litigation for alleged technical BIPA violations absent actual harm.
In January, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., opened the floodgates for a new wave of extremely costly litigation by holding plaintiffs can pursue BIPA claims even where no actual harm or damage is sustained. In addition, the U.S. Court of Appeals for the Ninth Circuit in Patel v. Facebook Inc., further expanded plaintiffs’ ability to pursue BIPA claims for “no harm” violations when it held any violation of BIPA amounts to a violation of substantive privacy rights and, as such, constitutes a cognizable concrete injury-in-fact for purposes of Article III standing.
Combined, companies utilizing biometric data in connection with their business operations will continue to see a flurry of BIPA class action filings — carrying with them significant potential liability exposure — for the foreseeable future.
Additional Biometric Privacy Laws on the Horizon
Several other states recently introduced biometric privacy bills that are now pending in their respective legislatures. And many of these proposed bills feature a private right of action provision substantially similar, if not identical, to Illinois’ BIPA.
In 2019, the New York Legislature introduced (for the third time) a bill that would implement the New York Biometric Privacy Act — a carbon copy of BIPA. The New York BPA would — like Illinois’ BIPA — provide a private right of action for any individual “aggrieved” by a violation of the law and would allow individuals to recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, along with attorney fees.
Beyond New York, many other states have attempted — but ultimately come up short — in enacting their own versions of BIPA. For example, in the beginning of 2019 the Florida Legislature proposed a bill known as the Florida Biometric Information Privacy Act — also modeled off BIPA — which set forth stringent requirements on the collection, storage and dissemination of biometric data by Florida entities.
The Florida law also contained a private right of action almost identical to the Illinois BIPA, which allowed any “aggrieved” individual to file suit for violations. Likewise, the Florida law also afforded plaintiffs the ability to recover statutory damages in the amount of $1,000 per negligent violation and $5,000 per intentional or reckless violation, as well as attorney fees. Florida’s proposed law, however, died during the 2019 legislative session. But Florida lawmakers have indicated an intention to reintroduce the bill during the 2020 legislative cycle.
Municipalities are also getting into the mix as well, as evidenced by New York City’s recent introduction of its own proposed biometric privacy law. While the New York City law differs slightly from its Illinois and New York state counterparts — in that it would impose less burdensome requirements on the collection, use and storage of biometric data vis-à-vis the Illinois BIPA and the New York BPA — the New York City law would nonetheless also provide a private right of action permitting any “aggrieved individual” to recover $1,000 for negligent violations and $5,000 for intentional or reckless violations, along with attorney fees.
Critically, the New York City law also features a unique provision — that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action” — which would allow plaintiffs to avoid the potential statutory standing hurdles that often serve as roadblocks in similar litigation.
Significantly, while the Illinois Supreme Court ultimately clarified the “aggrieved” language in BIPA did not require an individual sustain any actual injury or damages to pursue a cognizable claim and be entitled to liquidated damages under BIPA, the New York City law eliminates any doubt on this issue by explicitly specifying that individuals would possess standing to sue for any violations of the law.
What This Means for Corporate Defendants
Currently, the New York and New York City biometric privacy bills are still in the nascent stages of the legislative process. And it has yet to be seen if either of these bills will ultimately be enacted into law. With that said, the aggressive manner in which an array of different state and municipal legislative bodies have sought to enact their own biometric privacy laws illustrates the seriousness with which governmental bodies across the nation are considering stringent statutory requirements and limitations on the collection and use of biometric data.
These attempts represent a growing trend across the nation geared toward requiring companies that handle sensitive biometric information to tighten up their biometric privacy collection, use and security practices. Ultimately, with more states and cities seeking to enact biometric privacy laws of their own, it is imperative all entities utilizing biometric information in the course of their business activities devote the necessary time, effort and resources to adapt to the rapidly evolving legal landscape of biometric privacy law.
Even those companies that do not currently fall under the scope of any biometric privacy laws should consider taking proactive steps to revamp and update their notice, consent, retention and security practices and protocols to account for imminent regulation. Fortunately, there are several strategies and best practices that companies can implement to ensure compliance with today’s new wave of biometric privacy laws and mitigate potential liability exposure.
“The Coming Storm of Biometric Privacy Laws: What to Expect,” by Jeffrey Rosenthal and David Oberly was published in Law360 on November 14, 2019.
 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019).
 Patel v. Facebook Inc., No. 18-15982 (9th Cir. Aug. 8, 2019), pet. for rehearing en banc denied, (Oct. 18, 2019).