Recent Trends in Biometric Litigation: Risk of Costly Class Action Lawsuits for Non Compliance with Biometric Privacy Laws
The use of biometrics in everyday life, whether for commerce, customer service, data security, or other purposes, is proliferating. With that proliferation comes the potential for costly and disruptive biometric litigation.
If your business integrates biometric technologies into its platforms and processes, it is important that you are aware of your legal obligations regarding the collection, storage, and use of biometric data. The legal risks that you may be exposed to in this rapidly evolving regulatory landscape are expanding due to the adoption of state-level regulations.
What are biometrics?
Private industries are quickly adopting biometric technologies and as a result, more individuals are providing biometric data in everyday experiences and transactions. To review a summary of biometric technologies used in the private sector, please click here.
What does the current biometric legal landscape look like?
To address this increased use of biometric data, states have begun to adopt specific laws to regulate the collection, storage, and disclosure of biometric data. Illinois’s Biometric Information Privacy Act (BIPA), 740 ULCS 4/1 et seq., adopted in 2008, is one such state law whose successful use has spurred the introduction of similar legislation in other states.
Under BIPA, businesses must comply with specific notice and consent requirements before they collect, store, and use biometric data. In addition, businesses must develop public data retention policies, and take steps to protect and restrict the disclosure of biometric data. BIPA also includes a private right of action that permits an aggrieved individual to file suit for statutory damages against an alleged BIPA violator.
Private rights of action under BIPA, and similar state laws, have led to a proliferation of class action suits for the improper collection, storage, and use of biometric data. For example, in 2015, in Sekura, et al. v. L.A. Tan Enterprises Inc., No. 15-CH-16694, Ill. Cir., Cook Co., a class action suit was brought in Illinois against L.A. Tan Enterprises, Inc., a nationwide franchiser of tanning salons. A class of tens of thousands of plaintiffs alleged that L.A. Tan violated BIPA when, among other things, it improperly disclosed customers’ fingerprint scans to an out-of-state, third-party software vendor. The suit settled for $1.5 million and represented the first court settlement involving BIPA.
Other class action lawsuits have followed. These suits include actions against Facebook, Shutterfly, and Google for alleged violations of BIPA regarding the capture and storage of facial features. These cases are still pending. Regardless of their resolutions, however, businesses should expect to see similar lawsuits in states that enact legislation modeled after BIPA.
New Hampshire, ME, and Vermont have already enacted laws that in certain situations, govern the collection and use of biometric data. Massachusetts, Connecticut, and Rhode Island have included biometric data in their statutory definitions of personal information in their broader privacy laws. Recently though, expanded biometric privacy bills that resemble BIPA have been introduced in other state legislatures, including in New Hampshire. H.B. 523, 2017 N.H. H.R., Reg. Sess. (N.H. 2017), would regulate the collection, retention, and use of biometric information by individuals and private entities. Like BIPA, any person aggrieved by a violation of the law would have a private right of action and a right to statutory damages, and potentially attorney’s fees and costs and other relief, including injunctive relief. The bill is currently retained in legislative committee and its future is unknown. However, the combination of an uptick in class action lawsuits regarding biometric data and an increased public focus on data security and privacy likely make it a question of “when,” not “if,” similar laws are passed in New Hampshire and elsewhere.
How do I protect my business when I collect, store, and use biometrics?
Whether you are thinking about adopting and using biometric technology or you have already implemented this technology in your business, to minimize the risk of future litigation, it is important to develop (or revise) policies and best practices for using biometric technologies. Due to the adoption of state-level biometric data privacy laws, businesses must closely monitor this rapidly developing legal landscape. At a minimum, every business using biometric technology should ensure:
- That it has developed a clear and conspicuous notification and consent process that follows applicable state law;
- That is has developed data retention and disposal policies that are disclosed to its customers; and
- That it employs an opt-out structure for customers.
As disruptive technologies like biometrics integrate with our everyday lives, developing and navigating the new regulatory and legal framework in which they operate will be a critical task for businesses, consumers, and regulators. This new framework must be flexible enough to accommodate emerging technologies but still rigid enough to adequately protect consumers’ interests in health, safety, and privacy.
From concept to market and beyond, Bernstein Shur counsels businesses and regulators on emerging and disruptive technologies. If you have questions regarding how to best protect your business as you implement biometric technologies, please contact us.
Authored by Christina A. Ferrari