What Cos. Could Expect from National Biometric Privacy Bill
From biometric fingerprint timeclocks to facial recognition-based COVID-19 temperature screening devices, the myriad ways biometric data is used for commercial purposes continues to proliferate.
As the use of biometric data grows, so, too, do the associated legal risks — as lawmakers seek to strengthen regulation over this especially sensitive form of personal data.
While several states have enacted statutes that directly target the use of biometric technologies — most notably, the Illinois Biometric Information Privacy Act — pressure has mounted for the implementation of federal biometric legislation to apply uniformly across all 50 states.
In August, Sens. Jeff Merkley, D-Ore., and Bernie Sanders, I-Vt., introduced the National Biometric Information Privacy Act, which would do just that — i.e., impose requirements similar to Illinois' stringent biometric privacy statute from coast to coast. While it has yet to be seen whether the act will become law, it is clear the breadth of exposure stemming from the use of biometric data will continue to trend upward.
Thus, companies using biometric data in their operations — even those that are not currently subject to state-specific biometric privacy laws — should ensure they have the proper practices in place to minimize risk stemming from the increasing regulation over the use of biometrics.
Overview of Biometric Data
Biometric data generally encompasses unique, measurable human biological or behavioral characteristics — including fingerprints, voiceprints and scans of hand or face geometry — that are used primarily for identification and authentication purposes.
Importantly, biometric data is different from Social Security numbers and other forms of personally identifiable information because once compromised, biometric data has forever lost its ability to be used as a secure identifying mechanism.
Illinois Biometric Privacy Law Versus the National Biometric Bill
For the most part, the act is substantially similar to Illinois' biometric privacy statute.
Like BIPA, the act places strict limitations on companies' ability to collect, use, retain, disclose and sell individuals' biometric data without first providing notice and obtaining written consent; it also requires a written release be obtained before disclosing any biometric data.
Also similarly to BIPA, the act requires companies to maintain a publicly available privacy policy that includes specific timelines for the permanent destruction of biometric data. The act also mandates security measures using the same reasonableness standard for protecting biometric data as is found in BIPA.
Critically, like BIPA, the act provides a private right of action allowing consumers to pursue class action litigation for purported violations.
However, the act diverges from BIPA in another consumer-friendly way: by explicitly eliminating any potential standing hurdles that often serve to foreclose recovery by plaintiffs in similar BIPA litigation. Said differently, the act explains that consumers have standing to pursue violations thereof even if their injury is merely a technical violation with no real-world implications — for instance, a fingerprint was collected illegally, but was never improperly accessed or transmitted outside the organization to a third party.
The other major difference between the two laws is the act's inclusion of a right-to-know provision. Those familiar with the California Consumer Privacy Act will recognize this right — which requires companies, upon request, to disclose a range of different pieces of information regarding the biometric data that has been collected on the requesting individual and how that data is used, shared, and/or sold. Conversely, BIPA does not include any right or other requirements of this nature.
Analysis and Takeaways
While Texas and Washington also have biometric privacy statutes of their own, Illinois' BIPA remains the only law to offer a private right of action allowing consumers to pursue class litigation for purported violations of Illinois' biometrics statute.
BIPA's private right of action has created a nightmare liability scenario for companies, which makes available damages between $1,000 and $5,000 for each violation of the law. As just one example, last month, U.S. District Judge James Donato of the U.S. District Court for the Northern District of California approved Facebook Inc.'s agreement to pay $650 million to settle a long-standing BIPA suit involving the use facial recognition software — but only after the judge rejected Facebook's initial $550 million proposal.
The act follows after BIPA by also including a private right of action, which would significantly expand the scope of potential liability exposure for all U.S. companies that use biometric data in their day-to-day operations. This would likely lead to a flood of bet-the-company litigation from coast to coast.
Beyond this noteworthy litigation risk, the act would also impose new, substantial compliance obligations on entities using biometric data — many of which have not yet even contemplated instituting policies and practices required under today's biometric privacy statutes. To further complicate matters, if the act successfully makes its way into law, companies would have only 60 days enactment to come into compliance with certain provisions.
If prior attempts at enacting federal privacy legislation are any indication, however, the act will face an uphill battle in garnering enough congressional votes. To date, prior federal consumer privacy and biometric privacy bills have failed during the legislative process, mainly due to major disagreements over what a nationwide privacy law should encompass.
A substantial difference of opinion exists in Congress as to whether privacy law should preempt similar state statutes or whether states should be free to enact stronger legislation if they feel a federal law does not sufficiently protect consumers' sensitive personal data.
Legislators also disagree on how a federal law should be enforced — specifically, whether a law of this nature should provide consumers with a private right of action or, alternatively, whether enforcement powers should rest exclusively with federal administrative agencies.
With that said, the likelihood of a federal biometric privacy law's becoming a reality is significantly higher today, with greater calls from both legislators and consumer privacy advocates for uniform, consistent federal biometric privacy legislation that would apply across the nation.
And as instances biometric data misuse — such as those lodged against facial recognition software company Clearview AI — continue to come to light, Congress will remain under increased pressure to make a federal biometric privacy law a reality.
What to Do Now
While the act is not likely to be enacted this year, Congress has certainly put down a marker that biometric privacy — and the misuse of sensitive biometric data — is a major concern that will continue to receive federal lawmakers' attention.
Businesses using biometric data should pay close attention to congressional efforts to pass federal biometric privacy legislation during the next legislative session, as the act and other similar biometric privacy proposals could stand an even better chance of passage after the 2020 election.
In the interim, companies using biometric data or considering doing so in the future — even if they are not subject to any biometric privacy regulation at this time — should not wait until new regulation is passed; instead, they should take affirmative action to install flexible, adaptable compliance programs that directly addresses biometric privacy. Companies should consider the following:
Privacy Policy
Develop a publicly available biometrics privacy policy that includes, at a minimum, information relating to the company's schedule and guidelines for the retention and permanent destruction of biometric data.
Notice
Provide a written biometrics notice — prior to the time any biometric data is collected — that conspicuously informs individuals that biometric data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is permanently destroyed.
Consent
Obtain a signed written release/consent from all individuals prior to the time any biometric data is collected that permits the company to collect/use the individual's biometric data and disclose the data to third parties for business purposes.
Opt Out
Permit individuals to opt out of the collection of their biometric data.
Data Security Measures
Maintain data security measures to safeguard biometric data that satisfies the reasonable standard of care applicable to the company's given industry and which protects biometric data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.
An early start toward compliance can make all the difference between being able to fully comply with today's increasingly complex web of biometric privacy laws and being on the receiving end of a potentially catastrophic class action.
“What Cos. Could Expect from National Biometric Privacy Bill,” by Jeffrey Rosenthal and David Oberly was published in Law360 on August 27, 2020.