Complying with the World’s Most Stringent Biometric Privacy Law
Technological advancements continue to unlock new ways for companies to utilize biometric data — which captures unique, measurable human biological or behavioral characteristics — to improve the efficiency and effectiveness of their operations. With that said, in addition to its myriad of benefits, use of this burgeoning type of data also carries with it noteworthy legal liability risks. In particular, there has been a significant uptick in bet-the-company class action litigation under the Illinois Biometric Information Privacy Act (BIPA) relating to the collection and use of biometric data in a variety of commercial settings. Importantly, BIPA provides a private right of action that allows individuals to pursue litigation for mere technical violations of the law — even where no actual harm/damage is sustained — which has paved the way for an onslaught of high-profile litigation that will continue to flood courts for the foreseeable future.
While the name of the law suggests that BIPA applies only to companies located in Illinois, the reach of BIPA extends well beyond the borders of the Prairie State. Specifically, any business that collects or otherwise uses the biometric data of individuals located in Illinois must comply with the mandates of BIPA. That means that many Ohio businesses — so long as they conduct any operations that involve the collection or use of biometric data in Illinois — are required to follow the requirements of Illinois’s biometric privacy statute. As such, those Ohio companies that fall under the scope of BIPA — and, more importantly, their legal counsel — must take immediate action (if they have not done so already) to ensure strict compliance with this game-changing law to mitigate the risk of litigation exposure.
Current Legal Landscape
Currently, there are only three active, domestic biometric privacy laws on the books: Illinois’s BIPA, Texas’s Capture or Use of Biometric Identifier Act (CUBI), and Washington’s H.B. 1493.
Of those laws, BIPA is generally considered by far the most stringent. Under BIPA, a “private entity” — defined as any individual, partnership, corporation, limited liability company or other group — cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures, including the development of a written biometrics privacy policy. In addition, BIPA is the only law to provide a private right of action for any person “aggrieved” by a violation thereof, and permits recovery of statutory damages of $1,000 per negligent violation, or $5,000 if the violation is deemed intentional or reckless. These allowable statutory damages, combined with the ability to recover attorney’s fees, provide noteworthy incentives for plaintiffs’ attorneys to pursue class action litigation for alleged BIPA violations.
In January 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp(1) opened the floodgates for a new wave of extremely costly litigation by holding plaintiffs can pursue BIPA claims even where no actual harm or damage is sustained. In addition, the Ninth Circuit in Patel v. Facebook, Inc.(2) further expanded plaintiffs’ ability to pursue BIPA claims for “no harm” violations when it held any violation of BIPA amounts to a violation of substantive privacy rights and, as such, constitutes a cognizable concrete injury-in-fact for purposes of Article III standing. Combined, companies utilizing biometric data in connection with their business operations will continue to see a flurry of BIPA class action filings, carrying with them significant potential liability exposure, for the foreseeable future.
The extensive potential liability risk stemming from the collection, use and storage of biometric data (and BIPA’s private right of action in particular) should give businesses significant pause when using biometric data in the course of their operations. Fortunately, there are several best practices that companies can implement to minimize the risk of becoming embroiled in BIPA litigation stemming from the use of biometric data.
Biometric Data Privacy Policy
As a starting point, companies utilizing biometric data, with the assistance of their legal counsel, should ensure transparency as to how they collect, use, store, share and dispose of this type of data by implementing a detailed biometric data privacy policy.
At a minimum, privacy policies should encompass the following issues: (1) notice that biometric data is being collected and/or stored; (2) the current and reasonably foreseeable purposes for which it utilizes biometric data; (3) how biometric data will be used; (4) a description of the protective measures used to safeguard biometric data; and (5) the company’s biometric data retention and destruction policies and practices. These policies should also strictly prohibit the disclosure of any individual’s biometric data without their consent and should ban the company and its employees from selling or otherwise profiting from any such data.
Biometric data privacy policies should be made publicly available, which, at a minimum, should entail inclusion in the entity’s broader online privacy policy. Companies should also update their policies whenever any material modifications are made to their biometric data management practices.
Written Notice
Second, to further support the principle of transparency, companies and their counsel should provide conspicuous, advance notice of the use of biometric data before any such data is captured, used or stored. In so doing, companies should offer consumers meaningful notice regarding how biometric data will be used, shared and stored. At a minimum, all written biometric data notices must contain language informing individuals that: (1) biometric data is being collected and stored; (2) the specific purpose for collecting and using biometric data; (3) the length of time for which the data is being collected, stored and used; (4) the company’s schedule and procedure for permanently disposing of biometric data; (5) any protective measures utilized to safeguard biometric data; and (6) that biometric data may be shared with service providers or third parties. Where appropriate, or required by law, contextual and just-in-time notices may be necessary.
While no consensus exists as to what is sufficient to satisfy the notice requirement of today’s biometric privacy laws, at a minimum, companies should include their biometric privacy notice in their online privacy policy. In addition, where applicable, companies should provide individualized written notice to all individuals before their biometric data is captured.
Written Consent/Release
Third, it is also imperative companies and their counsel obtain signed, written consent, in the form of a written release, from all individuals authorizing the company to collect, use and store their biometric data before any biometric data is captured or used for any purpose.
In signing the written consent, the individual should acknowledge he/she has read the company’s general biometric data policy as well as the more specific written notice that has been provided regarding its collection and use of biometric data. This consent/release should also make clear the individual consents to those policies and guidelines, as well as to the collection and use of his or her biometrics, including the company’s ability to share their biometrics with any service providers or third-party vendors.
Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so they can affirmatively demonstrate their compliance. Importantly, obtaining a written release prior to the collection of any biometric data can serve as a robust defense to a claim an individual lacked adequate biometric data-related notice, or did not provide consent to the use of biometric data by the company.
Data Security Measures
Finally, companies and their counsel must ensure the implementation of effective data security safeguards to protect all biometric data that is captured, used and stored by the company from improper disclosure, access or acquisition. In particular, counsel should ensure that their organizations safeguard biometric data: (1) using the reasonable standard of care applicable to their given industry; and (2) in a manner that is the same or more protective than that in which the company stores, transmits and protects other forms of sensitive personal information. Companies should also periodically assess their biometric data security measures and complete any updates/modifications to their security programs to address and neutralize any new or evolving threats and vulnerabilities.
In terms of data security measures themselves, all biometric data should be stored separately from other personal information such as names, birthdates and account numbers. All stored biometric data should also be encrypted, both in transit and while at rest. And companies should also establish and implement appropriate retention and disposal practices. Finally, companies must ensure their biometric data is hosted and managed by a reputable, trusted third party with the requisite experience, expertise and security controls to effectively store and safeguard this especially sensitive type of data.
Conclusion
2019 saw an explosion of bet-the-company BIPA class action litigation, including numerous high-profile suits targeting the biometrics practices of some of the world’s largest tech giants, and companies should expect more of the same throughout the course of 2020. Accordingly, now is the time for all businesses — regardless of where they are located — to put in place flexible, adaptable biometric privacy compliance programs. Experienced counsel, whether they be in-house or from outside law firms, should be included in all such planning discussions. In doing so, businesses and their legal advisors can minimize the risk of being on the receiving end of a potentially catastrophic class action suit for purported violations of Illinois’s stringent biometric privacy law.
“Complying with the World’s Most Stringent Biometric Privacy Law,” by David J. Oberly was published in the January‒March 2020 edition of Ohio Lawyer.
1. 2019 IL 123186 (Ill. 2019)
2. No. 18-15982 (9th Cir. Aug. 8, 2019), pet. for rehearing en banc denied, (Oct. 18, 2019)