Given recent technological advancements, companies now have the ability to utilize biometric data in a broad number of ways to improve the efficiency and effectiveness of their operations. As a result, businesses are now turning to biometric identifiers—such as fingerprints, voiceprints, scans of hand/face geometry, retina and iris scans, as well as other less obvious biometric identifiers—for identification, authentication, and other purposes. This trend has brought about a swift, fundamental transformation in the way companies conduct business.
The use of biometrics, however, comes with significant legal risks as lawmakers across the country implement laws to tightly regulate the use of this technology. To date, several states have enacted targeted biometrics laws that place strict requirements and limitations on the collection and use of biometric data, including the now well-known Illinois Biometric Information Privacy Act (“BIPA”). Recently, the commercial use of biometric data has led to a significant wave of class action litigation for alleged technical missteps—a trend that will continue, if not increase, during the foreseeable future.
At the same time, states are encompassing biometric data within the scope of their new, broader consumer privacy statutes and/or amending current data breach notification statutes to make existing laws applicable to biometrics. Other states that do not currently regulate biometric technology have ramped up efforts to enact similar laws of their own—many of which have been modeled closely after BIPA.
Taken together, and as the scope of liability exposure continues to expand, companies that use biometric data (or intend to do so in the future) must have the necessary compliance and security measures in place to maintain ongoing compliance with current (and future) biometric regulation to minimize exposure to agency scrutiny, enforcement, and costly class action litigation.
How We Can Help
Blank Rome’s biometric privacy attorneys are well versed in this rapidly developing area of law and experienced in assisting clients in directly addressing and minimizing the risks associated with regulatory compliance, enforcement, and litigation. In addition to our considerable experience, our biometric privacy attorneys are thought leaders in this space, having extensively published and presented on compliance best practices, emerging legal trends involving biometrics laws around the country, industry and legal trends, and litigation strategy. At the same time, our multidisciplinary Biometric Privacy Team also draws talent from our Firm’s Cybersecurity & Data Privacy, Privacy Class Action Defense, Artificial Intelligence Technology, and Labor & Employment groups. Together, our Biometric Privacy Team assists clients in implementing proactive measures to satisfy the requirements of today’s biometric privacy laws, and aggressively defends clients in the event their biometrics practices are challenged in court.
Biometric Privacy Compliance & Risk Management
Our Biometric Privacy Team counsels and advises companies that collect, use, disclose, and store all types of biometric data on the full range of regulatory compliance obligations applicable today, as well as on managing potential liability exposure and risk. We have experience assisting businesses that have already integrated biometric technologies into their operations, as well as companies that are contemplating the use of biometric data.
Our Biometric Privacy Team also assists clients in building out comprehensive biometric privacy compliance programs through the development and implementation of policies, procedures, and practices to satisfy the stringent requirements mandated by biometric privacy laws. We are adept at building tailored, comprehensive, and flexible compliance programs that enable our clients to achieve compliance while also not sacrificing their business models, including:
- Biometrics Privacy Policies: Developing written biometric data-specific privacy policies detailing businesses’ biometric data practices, including retention schedules and guidelines for permanently destroying biometric data.
- Biometrics Privacy Notices: Developing written biometric data-specific privacy notices containing detailed information and notice regarding businesses’ biometric data practices.
- Biometrics Written Releases/Consents: Developing written releases/consent forms that capture individuals’ written consent to the entity’s biometric data policies and practices, as well as to the entity’s collection, use, storage, and disclosure of biometric data.
- Data Security Compliance Counseling: Counseling businesses on the necessary measures that must be implemented to achieve a high level of compliance with the data security component of biometric privacy laws.
- Vendor Management Counseling: Counseling businesses on the necessary due diligence and vetting required for all potential vendors that will have access to organizational biometric data to ensure vendors’ maintenance of adequate data security measures.
- Vendor Contract Language Drafting: Drafting biometric data-specific contractual language for inclusion in contracts with biometric technology vendors that takes into consideration key issues raised by biometric privacy regulation.
- Insurance Review: In conjunction with our dedicated insurance recovery attorneys, review existing policies for coverage assessments regarding a breach of biometric data or litigation arising from allegations of improper collection, use, or retention of biometric data.
- Arbitration Agreement & Class Action Waiver Counseling & Drafting: Counseling businesses on implementing arbitration agreements and class action waivers to limit potential biometric privacy liability exposure, including drafting arbitration provisions and class action waivers that can provide businesses with the ability to require all such disputes be resolved on an individual basis via arbitration, not in court.
- Collective Bargaining Agreement Counseling & Drafting (Unionized Employers): Counseling unionized employers on addressing key biometric privacy issues during the collective bargaining process, including drafting biometric privacy-specific contractual language for inclusion in employers’ collective bargaining agreements that can provide employers with the ability to require workers to resolve all such disputes through their union’s grievance process, not in court.
Biometric Privacy Class Action Defense
Our Privacy Class Action Defense Team is composed of seasoned litigators skilled in defending high-stakes biometric privacy class litigation. Our biometric privacy trial attorneys are frequently retained to litigate high-exposure and high-profile disputes and have developed reputations for achieving superior results against challenging odds in courts across the country—including the U.S. Supreme Court.
As thought leaders in this area, our biometric privacy litigators have developed a comprehensive understanding of the core strategies relied on by plaintiffs’ attorneys to litigate biometric class actions, as well as the applicable defenses to defeat and/or limit a range of different biometric class claims. Our biometric privacy litigators utilize this in-depth knowledge of the most significant and complex issues that arise in all types of biometric litigation to develop winning litigation strategies, aggressively defend clients, and posture cases for dispositive dismissals or favorable settlements.
Beyond biometric-specific laws, our Privacy Class Action Defense Team’s knowledge and abilities extend to all privacy laws that implicate the use of biometric data, including the California Consumer Privacy Act of 2018. Our multidisciplinary approach allows us to combine our extensive class action litigation and significant privacy experience to provide a formidable defense against all types of class litigation involving allegations of improper biometric data practices.
Download Our Exclusive Biometric Privacy Compliance Checklists
Biometric Privacy Compliance Checklist: Illinois BIPA
Biometric Privacy Compliance Checklist: Texas CUBI