Biometric Privacy


Given recent technological advancements, companies now have the ability to utilize biometric data in a broad number of ways to improve the efficiency and effectiveness of their operations. As a result, businesses are now turning to biometric identifiers—such as fingerprints, voiceprints, scans of hand/face geometry, retina and iris scans, as well as other less obvious biometric identifiers—for identification, authentication, and other purposes. This trend has brought about a swift, fundamental transformation in the way companies conduct business.

The use of biometrics, however, comes with significant legal risks as lawmakers across the country implement laws to tightly regulate the use of this technology. To date, several states have enacted targeted biometrics laws that place strict requirements and limitations on the collection and use of biometric data, including the now well-known Illinois Biometric Information Privacy Act (“BIPA”). Recently, the commercial use of biometric data has led to a significant wave of class action litigation for alleged technical missteps—a trend that will continue, if not increase, during the foreseeable future.

At the same time, states are encompassing biometric data within the scope of their new, broader consumer privacy statutes and/or amending current data breach notification statutes to make existing laws applicable to biometrics. Other states that do not currently regulate biometric technology have ramped up efforts to enact similar laws of their own—many of which have been modeled closely after BIPA.

Taken together, and as the scope of liability exposure continues to expand, companies that use biometric data (or intend to do so in the future) must have the necessary compliance and security measures in place to maintain ongoing compliance with current (and future) biometric regulation to minimize exposure to agency scrutiny, enforcement, and costly class action litigation.

How We Can Help

Blank Rome’s biometric privacy attorneys are well versed in this rapidly developing area of law and experienced in assisting clients in directly addressing and minimizing the risks associated with regulatory compliance, enforcement, and litigation. In addition to our considerable experience, our biometric privacy attorneys are thought leaders in this space, having extensively published and presented on compliance best practices, emerging legal trends involving biometrics laws around the country, industry and legal trends, and litigation strategy. At the same time, our multidisciplinary Biometric Privacy Team also draws talent from our Firm’s Cybersecurity & Data Privacy, Privacy Class Action Defense, Artificial Intelligence Technology, and Labor & Employment groups. Together, our Biometric Privacy Team assists clients in implementing proactive measures to satisfy the requirements of today’s biometric privacy laws, and aggressively defends clients in the event their biometrics practices are challenged in court.

Biometric Privacy Compliance & Risk Management

Our Biometric Privacy Team counsels and advises companies that collect, use, disclose, and store all types of biometric data on the full range of regulatory compliance obligations applicable today, as well as on managing potential liability exposure and risk. We have experience assisting businesses that have already integrated biometric technologies into their operations, as well as companies that are contemplating the use of biometric data.

Our Biometric Privacy Team also assists clients in building out comprehensive biometric privacy compliance programs through the development and implementation of policies, procedures, and practices to satisfy the stringent requirements mandated by biometric privacy laws. We are adept at building tailored, comprehensive, and flexible compliance programs that enable our clients to achieve compliance while also not sacrificing their business models, including:

  • Biometrics Privacy Policies: Developing written biometric data-specific privacy policies detailing businesses’ biometric data practices, including retention schedules and guidelines for permanently destroying biometric data.
  • Biometrics Privacy Notices: Developing written biometric data-specific privacy notices containing detailed information and notice regarding businesses’ biometric data practices.
  • Biometrics Written Releases/Consents: Developing written releases/consent forms that capture individuals’ written consent to the entity’s biometric data policies and practices, as well as to the entity’s collection, use, storage, and disclosure of biometric data.
  • Data Security Compliance Counseling: Counseling businesses on the necessary measures that must be implemented to achieve a high level of compliance with the data security component of biometric privacy laws.
  • Data Security Privacy Policy Language Drafting: Drafting privacy policy language for inclusion in businesses’ general privacy policies detailing the businesses’ data security measures for safeguarding biometric data from unauthorized access, disclosure, or acquisition.
  • Vendor Management Counseling: Counseling businesses on the necessary due diligence and vetting required for all potential vendors that will have access to organizational biometric data to ensure vendors’ maintenance of adequate data security measures.
  • Vendor Contract Language Drafting: Drafting biometric data-specific contractual language for inclusion in contracts with biometric technology vendors that takes into consideration key issues raised by biometric privacy regulation.
  • Insurance Review: In conjunction with our dedicated insurance recovery attorneys, review existing policies for coverage assessments regarding a breach of biometric data or litigation arising from allegations of improper collection, use, or retention of biometric data.
  • Arbitration Agreement & Class Action Waiver Counseling & Drafting: Counseling businesses on implementing arbitration agreements and class action waivers to limit potential biometric privacy liability exposure, including drafting arbitration provisions and class action waivers that can provide businesses with the ability to require all such disputes be resolved on an individual basis via arbitration, not in court.
  • Collective Bargaining Agreement Counseling & Drafting (Unionized Employers): Counseling unionized employers on addressing key biometric privacy issues during the collective bargaining process, including drafting biometric privacy-specific contractual language for inclusion in employers’ collective bargaining agreements that can provide employers with the ability to require workers to resolve all such disputes through their union’s grievance process, not in court.

Biometric Privacy Class Action Defense

Our Privacy Class Action Defense Team is composed of seasoned litigators skilled in defending high-stakes biometric privacy class litigation. Our biometric privacy trial attorneys are frequently retained to litigate high-exposure and high-profile disputes and have developed reputations for achieving superior results against challenging odds in courts across the country—including the U.S. Supreme Court.

As thought leaders in this area, our biometric privacy litigators have developed a comprehensive understanding of the core strategies relied on by plaintiffs’ attorneys to litigate biometric class actions, as well as the applicable defenses to defeat and/or limit a range of different biometric class claims. Our biometric privacy litigators utilize this in-depth knowledge of the most significant and complex issues that arise in all types of biometric litigation to develop winning litigation strategies, aggressively defend clients, and posture cases for dispositive dismissals or favorable settlements.

Beyond biometric-specific laws, our Privacy Class Action Defense Team’s knowledge and abilities extend to all privacy laws that implicate the use of biometric data, including the California Consumer Privacy Act of 2018. Our multidisciplinary approach allows us to combine our extensive class action litigation and significant privacy experience to provide a formidable defense against all types of class litigation involving allegations of improper biometric data practices.

Download Our Exclusive Biometric Privacy Compliance Checklists

Biometric Privacy Compliance Checklist: Illinois BIPA

Biometric Privacy Compliance Checklist: Texas CUBI

Biometric Privacy Compliance Checklist: Washington HB 1493


Select Biometric Privacy Compliance & Risk Mitigation Strategy Counseling Engagements
  • Serve as day-to-day biometric privacy counsel for national online eyewear brand client.
  • Serve as day-to-day biometric privacy counsel for national banking institution client.
  • Developed BIPA biometric privacy compliance program—including creation of tailored biometric privacy policy, biometrics privacy notice, and written consent—for national security solutions company in connection with company employees’ use of biometric fingerprint facility access system.
  • Developed and assisted in implementation of BIPA biometric privacy compliance program for financial institution in connection with use of voice biometrics at client’s call centers.
  • Prepared online consumer arbitration agreements and class action waivers in connection with client virtual try-on technology and provided guidance on proper presentation of online terms to ensure enforceability of arbitration agreement as defense to BIPA class action suits.
  • Conducted analysis and evaluation of client’s biometric privacy legal obligations relating to its in-store smart display product used to analyze shopper demographics and engagement with content/products using facial recognition techniques to deliver targeted, customized content in digital screens to individual shoppers.
  • Provided guidance on client’s use of video surveillance system with facial recognition capabilities to mitigate potential biometric privacy liability exposure.
  • Drafted master services agreements and data processing addenda for clients in connection with their use of third-party biometrics technology vendors, as well as involvement in contract negotiation process between clients and vendors.
  • Counseled clients on strategies for mitigating potential BIPA/biometric privacy liability exposure in connection with third-party biometrics vendors’ collection, use, and retention of client biometric data.
  • Developed numerous tailored biometric privacy compliance programs—including creation of tailored, customized biometric privacy policies, biometric privacy notices, written consent forms, and online consumer arbitration agreements and class action waivers—for corporate clients across a wide variety of industries.
  • Counseled and advised numerous corporate clients on rapidly changing legal landscape of biometric privacy and compliance with BIPA; Texas Capture or Use of Biometric Identifier Act (“CUBI”); Portland, Oregon, private-sector facial recognition ban; New York City biometric privacy ordinance; and similar biometric privacy laws and regulations.
  • Counseled and advised corporate clients across different industries regarding compliance with consumer privacy laws implicating the collection and use of biometric data, including the California Consumer Privacy Act (“CCPA”) and the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), among others.
Select Biometric Privacy Class Action Litigation Defense Engagements
  • Obtained dismissal of national online eyewear brand in putative Illinois Biometric Information Privacy Act (“BIPA”) class action involving allegations of collection and possession of consumer facial template data in connection with client’s virtual try-on technology.
  • Obtained dismissal of national party store chain in putative BIPA class action involving allegations of collection and possession of employee fingerprints in connection with use of biometric timeclocks.
  • Represented national food producer in putative BIPA class action involving allegations of collection, possession, and disclosure of employee fingerprints in connection with use of biometric timeclocks; secured pre-answer dismissal.
  • Currently representing cosmetics company in putative BIPA class action involving allegations of collection and possession of consumer facial template data in connection with client’s virtual try-on technology.
  • Currently representing aerospace turbine manufacturer client in two BIPA class actions involving alleged improper collection and use of employee fingerprints in connection with use of biometric timeclocks.


News & Views

See all News and Views