The Proliferation of Biometric Data and Legislation to Regulate its Use
Advances in technology have caused a significant expansion in the use of biometric data, such as fingerprints, iris scans and facial recognition, and other unique characteristics that can be used to verify a person’s identity. Biometric data and systems are widely considered to be a significantly more secure and convenient means for controlling access to things like sensitive information and personal property.
However, the use of biometric data is a double-edged sword that raises a host of privacy concerns. Once a person’s biometric information finds its way to digital form, the risk of its misuse becomes significant. For example, the data could potentially be employed to track an individual’s movements or location, or sold on the private market to advertisers or political campaigns.
In the United States, there is no comprehensive federal law regulating the collection and use of biometric data. However, as a result of the proliferation in its use and the grave potential for its misuse, state legislatures across the country increasingly have begun to consider adopting and enforcing legislation to restrict the collection, retention, and use of biometric data. It is therefore crucial that companies and private employers take heed of these coming regulations, and the potential consequences for violating them.
What Is Biometric Data?
Biometric data generally refers to computer-generated measurements and calculations relating to the physical, physiological or behavioral characteristics of natural persons, which are increasingly used as a form of identification and access control, such as fingerprints, iris scans and face recognition information.
Does Biometric Data Affect Companies and Non-Governmental Employers?
Yes. Biometric data is an emerging trend with a wide-range of current and potential applications, all of which are expanding rapidly. Companies and employers have begun to increasingly employ biometric data for purposes such as unlocking doors, controlling access to sensitive computer information or smartphones, and even preventing employees from “stealing time” through the practice of having others punch in their time cards. Because biometric indicators are unique to the person, they generally are considered to be a more secure and reliable method for verifying identities and controlling access to secure information.
Six Flags Amusement Park, for example, has begun to use biometric thumbprints to prevent customers from re-using their admission tickets, and Facebook is using facial recognition biometric technology to “auto-tag” photos that users upload to its platform. Reports even suggest that Madison Square Garden has begun using facial recognition technology to scan its visitors’ faces for security purposes.
While the security benefits to using biometric technology have been recognized as valuable, the increased use and collection of biometric data also raises a variety of concerns over individuals’ privacy and the protections in place to protect their privacy. Are there laws in place (federally, state wide, locally and even internationally) that require the users and visitors to these arenas, parks, work places and social media platforms to provide consent before their personal biometric data is collected, and perhaps even shared with third parties? In the absence of such consent, are companies exposing themselves to liability for collecting such data without the individuals’ consent? What are the consequences, if any, for companies or employers that collect, and thereafter sell or share the biometric data to third parties? Are remedies available to individuals that learn that a certain company or employer has obtained and used their biometric data without their consent? Are companies and employers that collect biometric data permitted to turn over that data to law enforcement authorities without a warrant? As discussed below, while certain states have attempted to address these very issues, the reality is that there is little comprehensive legislation in the United States regulating this innovative technology.
Are There Laws Regulating Biometric Data?
The European Union’s General Data Protection Regulation (“GDPR”) imposes strict limitations on the processing of biometric data for the purpose of uniquely identifying an individual who is in the European Economic Area (i.e., countries in the European Union and Iceland, Liechtenstein and Norway). Specifically, biometric data is considered a “special category” of personal data, for which the collection, use or other processing is prohibited unless (a) the affected individual provides “explicit consent” for “specified purposes,” (b) such collection, use or other processing is necessary for the establishment, exercise or defense of legal claims, or (c) another permitted use (from a very short list of permitted uses) exists. Notably, the GDPR applies to businesses outside the EU, if they process personal data of individuals who are in the European Economic Area in connection with the offering of goods or services. We will more fully address the GDPR’s implications on biometric data in a separate article.
Few laws exist in the United States that directly regulate biometric data. The United States Congress has yet to pass any federal laws directly addressing biometric technology and data. To date, the only states that have passed laws comprehensively regulating biometric information are Illinois, Texas, Washington, and soon to be California when the California Consumer Privacy Act (“CCPA”) takes effect in January 1, 2020.
Illinois, in particular, was well-ahead of the curve when it passed the Biometric Information Privacy Law (“BIPA”) back in 2008. BIPA imposes stringent standards that restrict how companies may obtain, store, and use customers’ biometric information. BIPA also creates a private right of action for those that fall victim to companies that violate the law. Specifically, BIPA provides that a plaintiff may recover $1,000 in damages from companies that negligently violate a provision of BIPA, and $5,000 in damages from companies that recklessly or intentionally violate a provision. Alternatively, a plaintiff can recover their actual damages.
Just last month, the Illinois Supreme Court, the state’s highest court, handed down a key decision interpreting BIPA that could have wide-ranging effects on states that are currently considering similar legislation. The lawsuit, Rosenbach v. Six Flags, came about after a parent sued Six Flags Amusement Park for collecting her son’s fingerprint without first obtaining the written consent that BIPA requires. The parent sued on behalf of other similarly situated individuals as a class action, which could potentially involve hundreds of additional plaintiffs. Six Flags moved to have the case dismissed based upon its primary argument that it should not be held liable under BIPA because the plaintiff could not establish that he had suffered any cognizable, concrete injury as a result of the alleged BIPA violation. After the trial court denied the motion, Six Flags moved for reconsideration. The trial court then submitted the question of whether BIPA requires a plaintiff to suffer a concrete injury in order to have standing to sue under BIPA to the Illinois Court of Appeal. The Illinois Court of Appeal held that BIPA does require a concrete injury for standing.
In a unanimous opinion issued in January 2019, the Illinois Supreme Court reversed the appellate court and held that a plaintiff need not suffer an “actual injury or adverse effect” in order to recover for a BIPA violation. Rather, the Court held that a person could sue under BIPA solely on the basis that their data was being collected without proper consent. In arriving at its decision, the Court reasoned that these statutory protections “are particularly crucial in our digital world because technology now permits the wholesale collection and storage of an individual’s unique biometric identifiers—identifiers that cannot be changed if compromised or misused.” Therefore, when a private entity fails to adhere to BIPA’s procedures, as the Six Flags defendants were alleged to have done, “the right of the individual to maintain [his or] her biometric privacy vanishes into thin air. The precise harm the Illinois legislature sought to prevent is then realized.” Consequently, the “injury is real and significant,” and not a mere “technicality.”
The Court’s decision was also consistent with the actual language of BIPA, as any “actual injury or adverse effect” requirement would have been difficult to square with BIPA’s provision that allows victims to recover $1,000 and $5,000 as an alternative to actual damages.
Similar lawsuits have made their way through the Illinois state and federal courts, and while biometric-specific laws and courts’ interpretation of those laws are still in their infancy, biometric technology has clearly become a growing and emerging trend that is not going away any time soon.
Does New York Have Laws That Regulate Biometric Data?
New York remarkably has yet to adopt legislation specifically regulating the collection and use of biometric data. However, a narrow labor law that was promulgated in 1937, New York Labor Law § 201-a, forbids employers from requiring employees to be fingerprinted. In addition, comprehensive legislation is currently being considered by both the New York State legislature and the New York City Council to address the public’s privacy rights in connection with companies’ use of biometric technology.
The New York State Senate is currently considering a biometric bill (the “NYS Bill”) that was introduced by Senator Patty Ritchie, which would require private companies that collect biometric data to develop and publish policies for its collection and use. The NYS Bill also contains several key provisions that would restrict how companies obtain, store, use, and destroy biometric data.
With respect to its collection and use, the NYS Bill would require companies to obtain a person’s written consent prior to obtaining or using their biometric data. The NYS Bill also would require companies to destroy any data collected after no more than three years, and would prevent companies from providing biometric data to law enforcement personnel without the issuance of a valid warrant.
Like BIPA, the NYS Bill would also create a private right of action for individuals whose biometric data is obtained or used in a way that violated the NYS Bill. Also similar to BIPA, the NYS Bill does not contain any concrete injury requirement before a person may sue under the law. In other words, a violation would be sufficient to recover in court. The NYS Bill also tracks BIPA’s damages provision by allowing victims to recover $1,000 for a company’s negligent violation, $5,000 for a company’s reckless or intentional violation, or alternatively, actual damages. The NYS Bill is currently being considered in committee.
Finally, New York City is also considering passing legislation to regulate biometric data. In October 2018, New York City Council proposed an amendment to the City Administrative Code (the “NYC Bill”) which would require private businesses to provide notice to customers, in the form of conspicuous signs, before they collect those customers’ biometric information. The NYC Bill would also require businesses to disclose on their websites their policies regarding the collection and use of biometric data.
The NYC Bill also contemplates a private right of action for any person whose biometric information is collected, retained, converted, stored or shared in violation of the proposed law. With respect to damages, the NYC Bill precisely tracks BIPA and the NYS Bill by contemplating the same fines of $1,000, $5,000, or actual damages, and imposing no actual injury requirement. In addition, the NYC Bill contemplates providing the Commissioner of the New York City Department of Consumer Affairs with authority to impose civil penalties of $500 per day for a company’s violation of the NYC Bill. The NYC Bill has not yet been advanced to committee.
With the recent expansion of biometric data and attempts to promulgate laws such as BIPA and the CCPA regulating this fast growing technology around the country (and with the GDPR in Europe, well beyond), there is a growing certainty that businesses and employers nationwide should expect a significant uptick in biometric-related regulation and litigation. In the next few years, we expect additional states and possibly even the federal government to adopt laws regulating this technology. We will continue to track those developments, and encourage companies and employers to review their policies before collecting, using or retaining biometric data in connection with its employees or consumers.
If you have any questions on the issues addressed in this article, please contact the attorneys listed or your usual contact at Tannenbaum Helpern.
For more information on the topic discussed, contact:
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.