How to Avoid the Legal Risks of Biometric Data Collection
From thumbprints to facial recognition, more and more companies are jumping on the biometrics bandwagon. Already used by countless businesses for time entry, security and other needs, corporate interest in biometrics is expanding as companies look to implement new contactless technologies in the COVID-19 environment.
Increasingly, however, businesses that collect biometric information are becoming targets for private lawsuits brought under the Illinois Biometric Information Privacy Act (BIPA). The Illinois statute is the most onerous biometric information privacy law in the country, imposing the risk of significant damages where biometric information is collected without first jumping through a series of regulatory hoops, including securing written consent from all affected individuals. Companies that collect or use fingerprints, facial scans or other biometric information to identify Illinois employees or consumers without complying with BIPA’s requirements risk significant litigation. Significantly, companies based out of state are not exempt — the law applies to entities that collect the data of Illinois residents without regard for the domicile of the business itself. A single violation — e.g. the one-time collection of just one Illinois resident’s fingerprint — can bring penalties of over $1,000 each. Other states, including Washington and Texas, have similar laws, but Illinois is currently the only state to allow private individuals to sue and recover damages for violations.
Indeed, some tech companies are learning that the law may reach well beyond traditional forms of biometrics, such as fingerprints or retina scans, and include information derived from photographs — even if those photographs were submitted by the user. Facebook, for example, is in the process of settling class action claims that its facial recognition software (which helped users “tag” friends in photographs posted to the site) violated BIPA. At $550 million, the proposed settlement was recently criticized by a federal judge as potentially providing too little to class members. Google is currently fighting similar claims relating to its photo recognition technology, but recently argued in federal court in California that information derived from photographs should be excluded from BIPA’s reach.
As more litigation looms, many believe the Illinois law may be vulnerable to a constitutional challenge. A grocery chain alleged to have collected Illinois employee fingerprints in violation of BIPA is currently appealing to the Illinois Supreme Court to hear whether BIPA violates its equal protection rights by arbitrarily exempting certain businesses (government contractors and certain financial institutions) from BIPA liability. For now, the safest way to avoid a BIPA lawsuit is to carefully follow its requirements when dealing with Illinois citizens. Best practices include:
Understand Whether Biometric Data Is Collected: As noted above, there are open questions as to what falls under the “biometric” umbrella. Under BIPA, a “biometric identifier” includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and does not include writing samples, signatures, photographs, or physical descriptions (such as height, weight, hair color, or eye color). Note, however, that in at least some instances, courts have determined that information derived from photographs may constitute a facial scan protected under BIPA.
Obtain Consent Prior to Collection and Disclosure of Biometric Data: BIPA permits companies to collect and use biometric information only if the company first obtains written, informed consent from each individual. Informed consent must include:
- Informing the individual in writing that the company is collecting or storing their biometric information.
- Informing the individual how long the biometric information will be retained.
- Informing the individual of the company’s purpose for collecting, storing, and using the biometric information.
- Receiving a written release from the individual.
Additional consent is required to disclose or distribute biometric information to third parties.
Develop Data Retention and Destruction Policies: BIPA requires that companies have a publicly available written policy outlining a schedule for retaining biometric information, and guidelines for destroying such data when the purposes for collecting such data have been satisfied or within three years of the individual’s last interaction with the company.
Avoid Profiting From Biometric Data: BIPA prohibits an entity in possession of biometric data from selling, leasing, trading, or otherwise profiting from a person’s biometric identifier or biometric information.
Given the patchwork of state-by-state privacy legislation, current best practice is for all companies with the potential to reach Illinois consumers or employees (regardless of that company’s location) to implement BIPA-compliant policies to help mitigate litigation risk while questions as to BIPA’s ultimate reach continue to be litigated in the court system.