One of the most popular cellphone applications (“apps”) at the start of 2018 was Google Arts & Culture, which featured an algorithm that allowed users to find their historical art doppelganger by taking a selfie.[1] The results were often humorous, but unfortunately, residents of Texas and Illinois missed out on all the fun. Google eliminated the selfie feature in those locations because these two states have implemented privacy laws that strictly regulate the collection of biometric data such as fingerprints, retinal scans, and facial geometry.[2] Illinois was the first state to implement a comprehensive biometric privacy regime, and the law continues to grow in influence as more companies are utilizing biometric data in new and complex ways.
What is Biometric Data and Why Does it Need Specific Protection?
Biometric data refers to “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.”[3] This can take the form of fingerprints, retinol/iris scans, voiceprints, and facial recognition scans.[4] As these technologies have continued to develop and become more accessible, the commercial use of biometric data has expanded dramatically.[5] The most common commercial use is biometric time clocks, but biometric data is also being used in authentication processes for things like telephone calls and online applications.[6] Notably, the most recent iteration of the iPhone launched facial recognition technology, allowing users to use their face as their password.
However, biometric data in a commercial context poses unique problems. First, biometric data cannot be changed or replaced if stolen or compromised.[7] Moreover, certain types of biometric data are especially vulnerable. For example, those who wish to steal biometric data, specifically facial scans, can covertly scan crowds in public places. However, one of the largest concerns of consumers and employees, and what biometric privacy laws principally address, is corporations storing large swaths of highly personal biometric data. The Illinois law, specifically, was implemented after an Illinois company called Pay By Touch filed for bankruptcy and attempted to sell its stores of fingerprint data during liquidation.[8]
How Does the Illinois Act Protect Biometric Data?
Although the Illinois Biometric Privacy Act (“BIPA” or the “Act”) does not prevent companies from collecting, using, or storing the biometric data of their employees or customers, it does have strict compliance requirements. Under the Act, companies must give notice when they are collecting, using or storing biometric information, and must obtain written consent before collecting biometric data from any individual.[9] Additionally, BIPA “prohibits private entities from selling biometric information, restricts the disclosure thereof, and requires reasonable care be taken in storing or transmitting biometric identifiers/ information.” [10] More specifically, companies must develop and implement a written biometric data policy that details guidelines for the retention and destruction of biometric data and adopt procedural safeguards to ensure sensitive data isn’t leaked or stolen.[11]
While two other states, Texas and Washington, have also implemented biometric privacy acts, BIPA remains the touchstone for biometric data regulation largely because of the significant penalties it imposes for noncompliance. Under the Act, companies are liable for $1000 per violation for negligent violations and $5000 per violation for intentional or reckless violations (or actual damages, whichever is greater).[12] Companies are also on the hook for the costs of litigation and possibly injunctive relief. For companies with many employees, this means that a data security failure can be financially devastating. However, the most significant aspect of the Illinois Act is that it allows for class action lawsuits, a recent development that has begun to plague many large companies that do business in the state.[13]
Recent Legal Trends Concerning BIPA
Though BIPA came into effect in 2008, the full implications of this law only became apparent within the past few years. As of January 2018, more than fifty companies, including big names such as United and Hilton, have faced lawsuits under BIPA.[14] Some cases are now even being brought outside of Illinois. Facebook is currently embroiled in three separate lawsuits under BIPA that will answer a pressing question concerning the law. As of now, courts remain divided as to whether, under the Act, companies could be liable for mere statutory violations, or if individuals need to prove actual damages.[15] If the law does indeed allow for statutory damages, this means companies could be liable for failing to meet the compliance requirements, regardless of whether consumers’ or employees’ biometric data is actually compromised. This has caused significant concerns for tech companies like Facebook, Google, and Apple that utilize significant amounts of biometric data, and has led them to engage in concentrated lobbying efforts to limit the spread and intensification of these regulations.[16] These efforts so far have prevented the implementation of similar biometric privacy laws in states like California, New York, Montana, Connecticut, and several others.[17]
[1] Jack Nicas, Why Google’s New App Won’t Match Your Face to Art in Some States, Wall Street J. (Jan. 18, 2018, 12:32 PM), https://www.wsj.com/articles/why-google-wont-search-for-art-look-alike-in-some-states-1516194001.
[2] Id.
[3] E.g., Council Directive 95/1, art. 4, 2016 O.J. (L 119) (EC), available at https://www.lewik.org/term/13576/biometric-data-definitions-gdpr/.
[4] Ted Claypoole & Cameron Stoll, Developing Laws Address Flourishing Commercial Use of Biometric Information, Bᴜs. L. Tᴏᴅᴀʏ (May 2016), https://www.americanbar.org/publications/blt/2016/05/08_claypoole.html.
[5] See id.
[6] See id.
[7] See id.
[8] See Kartikay Mehrota, Tech Companies Are Pushing Back Against Biometric Privacy Laws, Bloomberg Businessweek (July 19, 2017, 8:26 PM), https://www.bloomberg.com/news/articles/2017-07-20/tech-companies-are-pushing-back-against-biometric-privacy-laws.
[9] P. Russell Perdew et al., Second Circuit Delivers Limited Victory to Defendant Under Illinois Biometric Privacy Act and Spokeo, Lᴏᴄᴋᴇ Lᴏʀᴅ: Qᴜɪᴄᴋ Sᴛᴜᴅʏ (Locke Lord LLP) (Nov. 22, 2017), https://www.lockelord.com/newsandevents/publications/2017/11/~/media/308301A86F6E4ACA8391828B72F9EF07.ashx.
[10] Id.
[11] Baker McKenzie, A New Threat From an Old Source: Class Action Liability Under Illinois’ Biometric Information Privacy Act (Oct. 16, 2017), https://www.bakermckenzie.com/en/insight/publications/2017/10/illinois-biometric-information-privacy-act/.
[12] Id.
[13] See Adam Janofsky, Fingerprint-Scanning Time Clocks Spark Privacy Lawsuits, Wall Street J. (Jan. 11, 2018, 1:55 PM), https://www.wsj.com/articles/biometric-time-clocks-spark-a-wave-of-privacy-lawsuits-1515364278.
[14] Id.
[15] Baker McKenzie, supra note 11.
[16] Id.
[17] See Mehrota, supra note 8.
