Court Rulings May Spur States to Enact Biometric Privacy Legislation
Once the stuff of science fiction, biometric technology—which can identify individuals based on unique characters like their face, fingerprint, voice, etc.—has proliferated modern life. Whether unlocking the smartphone in your pocket, using your face as your ticket at the airport, or tracking time/attendance using fingerprints or irises, biometric technology has changed the way employees and consumers access services and perform their job functions. But with massive settlements and a recent nine-figure class action verdict for plaintiffs based on the Illinois Biometric Information Privacy Act (BIPA), improperly handling biometric data can be devastating. And now more state legislatures may be getting into the mix.
In the 2023 legislative session alone, new proposals for biometric privacy laws have emerged in at least 11 states: New York, Washington, Massachusetts, Arizona, Maryland, Minnesota, Missouri Tennessee, Mississippi, Hawaii and Vermont. So, whether a company is collecting biometric information in one of these states, or plans to do so, an awareness of the shifting legal and legislative landscape is critical to avoiding becoming the next target of an expensive and time-consuming class action.
Biometric Legislative Activity Heating Up in 2023
Biometric privacy legislation may be on the verge of significant expansion among the states. Today, BIPA remains the landmark state statute in this area—both because of its scope, and because, unlike other biometric privacy statutes currently in effect, BIPA contains a private right of action allowing individuals to sue for alleged violations.
These other states’ proposals are largely modeled on BIPA, and generally include common features like: a private right of action; a prohibition on selling or otherwise monetizing an individual’s biometric information; a requirement to obtain an individual’s consent to collect biometric information and inform them of the purpose/duration of any storage thereof; a prohibition on disclosing an individual’s biometric information without their consent, except in limited circumstances (such as where required by law); a requirement to destroy collected biometric information within a certain period (no more than three years in most cases, and shorter periods under some proposals); and a requirement that covered entities create and publicly maintain a written policy setting out their retention policies and destruction guidelines for biometric data.
The new state proposals are not without nuance, however. Contrary to the general approach of only applying to private-sector entities, Washington and New York’s proposed laws would also apply to public-sector entities, omitted under BIPA and other states’ proposals.
Moreover, the Massachusetts and Mississippi bills—in addition to a private cause of action—would each give individuals the right to request their biometric data and information related to the covered entity’s use of the same. This would naturally implicate new administrative and compliance costs along with the added legal exposure. The proposed Mississippi and Missouri laws, meanwhile, would also bar entities from conditioning the provision of services on an individual consenting to the collection of biometric data—raising potentially difficult choices for various industries.
Added nuances aside, these proposals all resemble BIPA in most major respects; thus, they have the potential to significantly complicate compliance efforts for all companies that collect and store biometric information. This makes monitoring new developments in BIPA litigation even more important in 2023.
Recent Case Law Raises the Stakes for Biometric Privacy
Two Illinois Supreme Court decisions in recent weeks underscore how fast-moving the landscape is: Tims v. Black Horse Carriers and Cothon v. White Castle System. Tims announced that a five-year statute of limitations applies to BIPA claims, rather than the one-year limitations period defendants had argued for. In Cothon, the court ruled each “scan” or “transmission” of covered biometric data in violation of BIPA constitutes a “separate claim” under the private right of action. Taken in combination with prior BIPA-expanding court decisions holding plaintiffs may pursue such claims even if they have not suffered any “actual harm” or injury, under Rosenbach v. Six Flags, and cases holding that BIPA may apply to other forms of biometric data, the potential proliferation of copycat statutes may portend a new wave of compliance and litigation risk.
Could Existing Privacy/Unfair Competition Laws Fill the Gap Where There Is No Biometric Statute?
Even without pending legislation, plaintiffs have argued existing privacy and unfair competition laws are themselves sufficient to enforce biometric violations—even in the absence of dedicated statutory protections.
For instance, at least one state court recently held state privacy laws, unfair competition laws, or even state constitutional protections could allow a private action based on the collection/use of biometric data. In Renderos v. Clearview AI, a Superior Court judge in Alameda County, California held common law privacy rights, the California constitution, and California’s broad Unfair Competition Law all provided BIPA-like causes of action.
Relatedly, Tennessee’s proposed biometric privacy statute also has a provision declaring that, in addition to a new statutory cause of action, violations of the proposed act would constitute violations of the state’s Consumer Protection Act.
If other courts and states follow suit, this could be a sea change in biometric privacy compliance and litigation—companies in all fifty states would potentially be exposed to BIPA-like claims, with or without their own legislatures passing a biometric privacy law.
Biometric privacy remains a constantly evolving and expanding area of the law. Companies that collect and handle biometric data would do well to monitor new developments closely to ensure their own practices are compliant with existing law; this effort should also include remaining nimble in the face of an uncertain legislative future.
“Court Rulings May Spur States to Enact Biometric Privacy Legislation,” by Jeffrey N. Rosenthal and Andrew Schrag was published on March 9, 2023, in The Legal Intelligencer.
Reprinted with permission from the March 9, 2023, edition of The Legal Intelligencer © 2023 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.