Ky. BIPA Copycat Bill Could Usher in Class Action Tsunami
For three years now, Illinois' Biometric Information Privacy Act has maintained its status as the hottest new class action trend, spurring an onslaught of bet-the-company litigation fueled by the law's minimal requirements for establishing liability and high statutory damages awards.
Taking note of the increased commercial use of biometric technologies today, lawmakers in Kentucky started out the 2022 legislative session with the introduction of H.B. 32 — a carbon copy of BIPA.
If enacted, Kentucky's BIPA copycat bill would bring with it an avalanche of class actions similar to those companies have been facing in connection with Illinois' biometric privacy statute.
And from a broader perspective, if successful, H.B. 32 would likely generate further momentum for other states and cities to enact similar biometrics laws of their own.
The Current Biometric Privacy Legal Landscape
While BIPA filings continued their torrid pace of years past, 2021 was also marked by the enactment of a number of new laws and ordinances placing greater requirements and restrictions over the commercial use of biometric data.
In particular, both Portland, Oregon, and Baltimore enacted first-of-their-kind ordinances prohibiting the use of facial recognition across the board by the private sector.
In addition — for a second year in a row — companies saw the introduction of a new type of biometric privacy regulation not seen in prior years, this time taking the form of regulation singling out and targeting specific industries and sectors of the economy.
The first of these laws is New York City's biometrics-focused ordinance regulating commercial establishments, which encompasses all places of entertainment, retail stores, and food and drink establishments.
Later in the year, the New York City Council enacted its Tenant Data Privacy Act, which regulates owners and landlords of buildings that utilize biometric data and other forms of advanced digital technology as a method of access control.
Breakdown of Kentucky's BIPA Copycat Bill
The first state to propose new biometric privacy legislation in 2021 is Kentucky, with the introduction of its proposed H.B. 32. The bill is a carbon copy of Illinois' BIPA and would require companies to adhere to the following requirements:
- Privacy policies and guidelines for retaining and destroying of biometric data;
- Written consent;
- A ban on selling or profiting from biometric data;
- Limitations on the disclosure and dissemination of biometric data; and
- Data security requirements.
In addition, H.B. 32 would — like BIPA — provide a private right of action for any individual aggrieved by a violation of the law to recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, as well as attorney fees.
In January 2019, the Illinois Supreme Court issued its seminal decision in Rosenbach v. Six Flags Entertainment Corp., interpreting the term "aggrieved" to mean a mere violation of an individual's privacy rights — without more — was sufficient to pursue a class litigation. In doing so, Rosenbach eliminated the essential requirement of having to demonstrate actual injury or harm for alleged BIPA violations.
Not surprisingly, Rosenbach opened the floodgates to a tremendous wave of bet-the-company litigation against Illinois companies, as well as many located beyond the borders of the Prairie State, with damages figures greatly exceeding the nature and extent of the violations at issue.
As just one example, in 2020, tech giant Facebook Inc. agreed to pay $650 million to settle a longstanding BIPA lawsuit, In re: Facebook Biometric Information Privacy Litigation, involving its allegedly improper use of facial recognition technology as part of its photo-tagging feature.
What This Means for Companies That Use Biometric Data
Lawmakers' recent success in putting in place new biometrics regulation has provided strong encouragement for other state and municipal legislatures to push forward with their own strict regulation covering the collection and use of biometric data — just as Kentucky has done with its introduction of H.B. 32.
Moreover, the use of a private right of action as H.B. 32's sole enforcement mechanism continues the significant trend that has emerged in recent years with lawmakers clearly favoring the inclusion of provisions that allow class actions to be pursued for noncompliance as an integral component of this new wave of biometric privacy proposals, many of which have successfully made their way into law.
Consequently, a real possibility now exists that the same tsunami of class actions that has been generated in connection with Illinois' BIPA may soon make its way to other parts of the country — sooner than later.
At the same time, should Kentucky prevail in enacting its new biometric privacy legislation, it may trigger a domino effect whereby other states and cities quickly follow suit.
Practical Compliance Tips
While H.B. 32 represents the first BIPA copycat bill to be introduced by state lawmakers in 2022, it will almost certainly not be the last piece of biometric privacy legislation modeled after Illinois' BIPA to be introduced this year.
As such, companies are well-advised to take proactive steps to implement flexible, adaptable biometric privacy programs that will enable them to adeptly respond to the ever-changing legal landscape of biometric privacy.
Specifically, companies that use biometric data in their operations — even if they conduct business exclusively in parts of the country that do not yet have any type of biometric privacy law on the books — should consider implementing the following compliance practices:
Provide written notice — prior to the time during which any biometric data is collected — clearly informing individuals that biometric data is being used; how that data will be used and/or shared; and the length of time over which the data will be retained until it is destroyed.
Obtain a signed written release from all individuals prior to the time any biometric data is collected permitting the collection and use of the individual's biometric data, as well as the disclosure of that data to third parties for business purposes.
Maintain data security measures safeguarding biometric data that satisfy the reasonable standard of care applicable to the company's given industry. The measures should also protect biometric data in a manner that is the same or more protective that in which other forms of sensitive personal information are safeguarded against improper disclosure or acquisition.
Explicit Prohibition on Selling or Otherwise Profiting From Biometric Data
Enforce a strict ban that prohibits selling or any other form of profiting from individuals' biometric data.
Kentucky's BIPA copycat bill is in the very early stages of the legislative process; however, if enacted, the law will go into effect July 14.
The trend toward favoring private right of action provisions over administrative enforcement by both state and municipal legislatures is gaining momentum and should be cause for concern for those entities that use biometrics where no targeted biometric privacy laws currently exist.
More than that, it is only a matter of time before biometric privacy laws are the norm, and not the exception, across the country.
Companies can get ahead of the compliance curve by taking proactive measures to develop and implement biometric privacy compliance programs that encompass the principles and practices described above.
In doing so, businesses can ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well — allowing them to always stay a step ahead of today's constantly evolving biometric privacy regulation.
“Ky. BIPA Copycat Bill Could Usher in Class Action Tsunami,” by David J. Oberly was published in Law360 on January 26, 2022.
 2019 IL 123186 (Ill. 2019).