Biometric data privacy laws for in-house counsel
One of the newest problems in-house counsel must deal with is the growing number of privacy laws governing the use of biometric data. A number of states and local governments, led by Illinois, have enacted — or are in the process of enacting — laws and regulations that govern the collection and use of biometric data, whether it be that of consumers or employees.
Given the prevalence and ease with which businesses collect and use biometric data, in-house counsel should be aware of these laws and, more importantly, the substantial penalties — financial and reputational — for failing to comply.
1. What is biometric data and how is it used?
Biometric data is biological data about the unique behavioral and physical characteristics of individual persons, including fingerprints and palm prints, DNA, retinal and iris patterns, facial image recognition, and voice recognition. Biometric data also includes behavioral characteristics, such as the gait of how we walk and other “patterns” that can be unique to a specific individual. All of this biometric information can be — and is — collected by businesses and governments for a wide variety of reasons.
Every human has biometric data. It is unique and, for the most part, permanent. It is easy to record, measure, and store, and also very difficult — if not impossible — to forge. We always have it with us, so it is available when needed. As a result, biometric data is frequently used by companies to authenticate or identify a person. For example, most consumers have used fingerprints or facial pictures as replacements for passwords to access our smartphones and other devices.
In corporate settings, biometric data is used for health purposes, to gain access to restricted materials or areas, or even as a replacement for the timecard. In social media, facial recognition has been used to identify individuals. Governments, on the other hand, use biometric data to track health issues, like COVID-19 vaccination status. Law enforcement can use DNA to identify suspects in a crime or use a facial scan database to identify criminals based on video footage. The data is used by border enforcement officials as well.
2. Why are biometric privacy laws needed?
Companies and governments are building huge databases to store the biometric data of their customers, employees, and citizens. Unfortunately, these databases can be — and have been — used for purposes that differ from the basis on which it was collected. They can also be hacked.
While a consumer may think it is convenient to open their smartphone with a “selfie,” they probably are not thinking about issues like how else is my biometric data being used? Are there limits? Can it be sold? These questions matter. If stolen, or even just copied, biometric data can provide access to a person’s most sensitive secrets, data, and bank accounts. It can be used to expose health issues — physical and mental — making it a perfect blackmail tool.
For example, biometric data can be used to fire a gun or open a safe, and a photo of the owner can unlock a smartphone set to open with a facial scan. Governments can track the movements of individuals by using facial recognition and publicly placed cameras. The problem of “deep fakes” using artificial intelligence (AI) and biometric data together — like voice patterns — is a real and growing concern.
3. What privacy laws govern biometric data?
The first state to enact biometric data privacy laws was Illinois in 2008. Its Biometric Information Privacy Act (“BIPA”) is the most comprehensive and restrictive in the country. More importantly, it offers a private right of action — something the laws of other states do not do. The good news is, if you comply with the BIPA, you should be well set for complying with the other state and local privacy laws covering biometric data.
The BIPA has several core requirements:
- Mandates certain data security obligations
- Sets out retention/destruction guidelines
- Requires disclosure and informed consent prior to collection
- Permits only limited disclosure rights
- Provides for damages ranging from $1,000.00 to $5,000.00 per violation
- Creates a private right of action
There have been numerous lawsuits litigating the BIPA and similar laws, and businesses have frequently been on the wrong end of final verdicts to the tune of millions of dollars in damages.
Illinois is not the only privacy law covering biometric data. Texas, California, Arkansas, and Washington state also have biometric data laws; over 20 states have such laws pending. Cities such as New York City are enacting biometric-related ordinances to limit the collection and use of such data. Additionally, the FTC and numerous state attorneys general are using deceptive trade practices laws to bring actions involving the collection and use of biometric data.
Google, TikTok, Meta, and others have all felt the sting of such enforcement. GDPR, CPRA, and other comprehensive data privacy laws cover the collection and use of biometric data as well. These include mandates around disclosure, opt-in practices, and rights of individuals to know what data businesses have collected, how it is used, who it is shared with, and — in most cases — a right to stop the sale or sharing of biometric information with third parties.
4. What should in-house counsel be doing now to comply with biometric privacy laws?
Start with investigating if and how your company is using biometric data. This starts by questions about data use to the various business units and staff groups. Depending on what you find, consider the following next steps:
- Is the company documenting its collection efforts — by purpose, geography, etc. — and limiting the collection of biometric data to only that which is needed?
- Has the company received the appropriate permissions to collect and use biometric data? The BIPA, for example, requires a written release from employees.
- Has the company given the proper notices to consumers or employees about the collection and use of biometric data? Can they opt out of such collection?
- Is the biometric data properly destroyed when no longer needed?
- Does the company have an internal policy setting forth the types of biometric data the company collects and how it may be used by employees? Are employees trained on the policy?
- Is biometric data secure using the latest in building security and data security protection? If a vendor is used to collect or store such data, has the company properly vetted the vendor?
- Does the legal department understand the laws around biometric data that may apply to how the company collects and uses biometric data?
- Does the company’s cyber-risk insurance cover biometric data claims?
- Is the company profiting from the sale of biometric data? If so, it may be time to reconsider that business model.
There is value in biometric data and businesses are looking for ways to harvest that value, either in terms of better workplace practices or commercial endeavors. There is also a lot of risk with the collection and use of such data.
Step one for in-house lawyers is understanding the biometric privacy law landscape. Step two is understanding how their company is using, or plans to use, such data. Step three is ensuring the business complies with all legal obligations and, more importantly, the expectations of its employees and customers. Anything less is asking for trouble. In-house lawyers with access to Practical Law have a wealth of resources to understand, track, and comply with biometric data privacy laws.