As the United States continues to adjust to COVID-19, more businesses are utilizing biometric data to provide a safe environment for their customers and employees. But the unauthorized use of biometric data can lead to class action lawsuits from customers and employees. In one of the latest such efforts, a former employee sued Amazon in a proposed class action lawsuit claiming that the company's COVID-19 screening program violated Illinois's Biometric Information Privacy Act (BIPA).1 Penalties for violating these laws can be huge. To help reduce this exposure to litigation, companies should be aware of what biometric privacy laws exist, what laws are on the horizon, and what steps they should be taking to maintain the lawful use and collection of biometric data.
The Basics of Biometrics
In general, biometric data are the human body characteristics used to identify or authenticate a person.2 Common examples of biometric data include fingerprints, retina or iris images, or scans of face geometry (i.e., facial recognition).3 But biometric data also includes one's walking style or gait, odor, voice, and veins patterns in one's finger or palm. In fact, many states define biometric data broadly to mean “data generated from measurements or technical analysis of human body characteristics. . . .”4 This broad definition may include body temperature. The complaint against Amazon alleges Amazon required its employees to undergo facial geometry scans and temperature checks without the employees' consent.
Biometric data is often used as a secure method of identifying individuals, allowing access to restricted areas, or to track people's movements.5 But even before COVID-19, biometric privacy was a growing concern. As a result, more states began either including biometric data in their existing privacy laws or creating new laws specific to biometric data.
The Legal Landscape
At the federal level, only a handful of laws, like the Health Insurance Portability and Accountability Act (HIPAA) and the Genetic Information Non-Discrimination Act (GINA), address the use of biometric data. However, the applicability of these laws is limited in scope. The majority of biometric privacy protection is found are the state level. There are generally three types of privacy laws governing biometric data.
First, various data breach notification laws include biometric data. All 50 states have breach notification laws which require companies to notify individuals when specific types of personal information have been exposed in a data breach. As of January 2020, approximately 17 states included biometric data in their definition of “personal information.”6 New York recently expanded its breach notification law to include biometric data.7 But more states are also proposing expanding their breach notification laws to include biometric data.
Second, consumer privacy laws are an emerging set of laws that include biometric data. Consumer privacy laws generally grant consumer's certain rights to their personal information and prohibit companies from selling or disclosing a consumer's personal information without their consent. The California Consumer Privacy Act (CCPA) is the most widely known U.S. consumer privacy law. But Nevada also has its own consumer privacy law. And before COVID-19, more states were proposing their own consumer privacy laws. For example, in February 2020, Arizona proposed a bill similar to the CCPA, granting consumers certain rights related to their personal information such as the right to deletion, right to information, and right to opt-out. However, this bill currently does not grant consumers a private right of action.
Third, there are specific biometric privacy laws. These laws expressly set forth specific consent and security requirements regarding the collection and use of biometric data. Illinois's BIPA is probably the best known, and most actively litigated, biometric privacy law. Texas8 and Washington9 also have biometric privacy laws, but Illinois's BIPA is the only one that grants consumers a private right of action.
More states are starting to enact biometric privacy laws similar to Illinois's BIPA. For example, in January 2020, Virginia proposed a biometric privacy bill similar to BIPA; however, it is narrowly confined to the employee. Under this proposed law, employers must obtain, among other things, written informed consent of their employees before collecting and storing their biometric data. Employers must also disclose the purpose for capturing the biometric data, the mechanism for storing the biometric data, and the length of time the biometric data will be stored and used. An employer who violates this section is subject to a civil penalty of not more than $25,000 for each violation. This law would grant employees a private right of action.
Biometric Class Action Litigation
Class action lawsuits under the breach notification statutes typically arise from companies either failing to provide timely or adequate notification of the data breach; or failing to maintain reasonable physical, administrative, or technical safeguards protecting the data. The CCPA is still a very new law and no claims have arisen yet relating to biometric data. Most biometric data litigation today has arisen from Illinois's BIPA. The major court decisions under BIPA so far have addressed what a plaintiff needs to allege to have standing to sue. These cases have held that a plaintiff does not need to establish actual damages in order to have standing to sue;10 a technical violation of the statute alone may be enough to sue. This expansive scope in standing, along with its private right of action and considerable statutory damages, makes BIPA appealing to plaintiffs' attorneys and makes companies who utilize biometric data particularly susceptible to class action litigation.
On the Horizon
Companies can expect more biometric privacy laws in the near future. To avoid liability, companies should:
- Determine what, if any, biometric privacy laws apply to their business. This will generally include determining which states the company operates in; whether the company indeed collects biometric data; and what individuals and from which states the company collects biometric data.
- Develop guidelines and procedures that govern the collection, use, retention and destruction of biometric data. Developing these guidelines will require determining what biometric privacy laws apply so the company can determine what compliance obligations each of these laws may have.
- Always get consent before collecting biometric data.
1 Michael Jerinic v. Amazon.com Inc. et al., No. 2020-CH-06036 (Cook Cnty. Cir. Ct, Ill. Sept 28, 2020).
2 9 V.S.A. § 2430.
3 Id.; see also 740 ILCS 14/10.
4 Cal Civ. Code § 1798.82; N.Y. Gen. Bus. Law § 899-aa.
5 See Tiffany Lee, Biometrics and Disability Rights: Legal Compliance in Biometric Identification Programs, 216 U. Ill. J. L. Tech. & Pol'y 209 (2016).
6 Arizona, Arkansas, California, Colorado, Delaware, Iowa, Illinois, Louisiana, Maryland, Nebraska, New Mexico, North Carolina, Oregon, South Dakota, Washington, Wisconsin, and Wyoming.
7 See N.Y. Gen. Bus. Law § 899-aa.
8 Tex. Bus. & Com. Code § 503.001.
9 RCW 19.375.020.
10 Rosenbach v. Six Flags Entm't Corp., 129 N.E.3d 1197 (Ill. 2019).
Originally Published by Buchanan Ingersoll, November 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.