States across the country are enacting or proposing legislation to regulate the collection, storage, use and disclosure of biometric data. Some rely on statutes that impose specific requirements unique to biometrics, while others rely on general consumer privacy laws that encompass biometric data, and all 50 states (plus the District of Columbia and Puerto Rico) have data breach notification laws. Businesses that collect, use, store, or share biometric data need to be aware of the legal landscape so they can comply with applicable laws and reduce their litigation risk.
The CCPA: A key general privacy statute
California is a key example of a general privacy statute that encompasses biometric data. The California Consumer Privacy Act (“CCPA”) is the most sweeping state consumer privacy law enacted to date, and “biometric information” is one type of “personal information” that the statute covers. The CCPA broadly defines “biometric information” to include “physiological, biological or behavioural characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.” The eight consumer rights and corresponding business obligations established by the CCPA apply to most businesses that collect, use, store, or share California consumers’ personal information, including biometric information.
The CCPA also includes a private right of action, allowing consumers to sue businesses beginning on January 1, 2020, for “an unauthorised access and exfiltration, theft, or disclosure” of certain limited personal information, resulting from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” This provision does not, however, apply to unauthorised disclosures of biometric information because the right is limited to a narrower subset of “personal information” defined by California Civil Code Section 1798.81.5(d)(1)(A).
The California Consumer Privacy Act: is the EU’s data privacy regulation having an international impact?
Biometric-specific laws
Illinois, Texas, and Washington have enacted laws that specifically regulate biometrics across nearly all settings. Several other states are considering similar laws, and many states regulate biometric data only in narrow contexts, such as in educational or employment settings.
Illinois’ Biometric Information Privacy Act (“BIPA”) is the only one of these laws that currently includes a private right of action. BIPA applies to both “biometric identifiers” (including “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” but not including photographs and other specifically enumerated exceptions) and “biometric information” (generally, information that is “based on” a biometric identifier that is “used to identify an individual”).
Unlike the CCPA’s private cause of action, BIPA’s private right of action is already in effect. Over 300 putative class actions asserting BIPA violations have been filed since 2015. Litigation risk under BIPA is substantial, because the statute provides for “liquidated” damages of $1,000 for every negligent, and $5,000 for every reckless or intentional, violation of the statute. In addition, BIPA’s notice, consent, disclosure, retention, and security requirements are highly technical, and a recent decision by the Illinois Supreme Court means that a person aggrieved by a violation can file a lawsuit even where they suffered no damage beyond mere violation of the statute — see Rosenbach v. Six Flags Entertainment Corp.
The biometrics-specific statutes in Texas and Washington are enforceable only by those states’ attorneys general, so individuals cannot directly sue for violations of the statutes. See Tex. Bus. & Com. Code § 503.001; Wash. Rev. Code 19.375.010. The Texas law otherwise closely tracks BIPA’s model, while the Washington law is substantially more limited. For example, the Washington law applies only when biometrics are “enroll[ed]” in a database for a “commercial purpose”– and both of those terms are narrowly defined.
Big tech firms wants to “clean-up” the new California Consumer Privacy Act
Risk mitigation steps
To reduce your company’s litigation risk in connection with biometrics, the first step is to determine whether (1) the business deals with biometric data and (2) the business is governed by any of the laws discussed above. The first question is complicated by diverging definitions of what qualifies as biometric data, while the second question depends on multiple factors — including where data subjects reside; where data collection, processing, and storage occurs; and where a company’s vendors operate. Given this complexity, it is best to consult counsel to determine what laws apply and how to comply with their requirements. This is especially true for more technical requirements around notice and consent and retention/destruction policies.
Second, the business should limit its use, collection, and possession of biometric data. The risk of litigation and the cost of compliance often means that it is not worth dealing with biometrics if such data is not relevant to a specific business purpose. Finally, the business should make sure that its public-facing statements are consistent with its biometrics-related legal obligations.
Privacy Policies should be kept up-to-date from both a legal and operational perspective, which requires businesses to periodically refresh their knowledge of what data is being collected and held and how this data is being used. Similarly, marketing materials should be reviewed closely to make sure that they are transparent (e.g., clearly describing the technology that is being used and the data that is being collected) and accurate (e.g., because “biometrics” might be defined very differently across different statutes, accuracy will often require avoiding that specific term if possible).