A Biometric Data Regulation: Coming to a State Near You

By Michael A. Shapiro, Attorney at XPAN Law Group, LLC

Once a subject of science fiction movies, biometric identification is becoming an integral part of our daily lives.  Between fingerprint scanning, voice print identification, and facial recognition technology, more and more companies are collecting and processing biometric data. While biometric identification provides more security advantages because individual’s biometric identifiers are unique, it raises significant privacy and security concerns. Unlike passwords or social security numbers, biometric identifiers cannot be changed when compromised.  

Not surprisingly, the European Union has been ahead of the curve in regulating biometric data. The GDPR broadly defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological, and behavioral characteristics of a natural person.” See Art. 4(14).  This definition potentially encompasses such physical identifiers as fingerprints, iris scans, DNA, and facial images, as well as behavioral identifiers such as physical movements and typing patterns.  The GDPR designates biometrics as a “special category” personal datai.e. it generally prohibits processing of biometric data absent specifically enumerated exceptions, such as explicit consent of a data subject or substantial public interest. See Art. 9. Furthermore, processing of biometric data under the Regulation will almost always require controllers to perform a data protection impact assessment which will consider  the necessity and proportionality of the processing, risks to the rights and freedoms of data subjects, as well as measures to address those risks.  See Art. 45.

In contrast, in the United States the processing of biometric data is regulated by only a handful of states, but that is likely to change in the very near future.  The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., which has been on the books since 2008, offers the greatest protection for consumer biometric information along with a private cause of action which has already yielded more than 200 class action lawsuits.  BIPA requires private entities to provide notice and obtain written consent before biometric information is collected, prohibits the sale of and restricts the overall disclosure of biometric information, and requires companies to follow a reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.  See 740 ILCS 14/10.   

In a decision issued earlier this year, the Illinois Supreme Court held that failure to comply with these requirements subjects the defendant company to statutory damages and injunctive relief even in the absence of plaintiff showing actual injury or adverse effect.  See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186. See also Dixon v. Washington & Jane Smith Cmty.-Beverly, 1:2017-cv-08033 (N.D. Ill. May 31, 2018) (employer’s disclosure of employee’s fingerprint scans without informing employee or obtaining her consent is a sufficiently concrete injury under BIPA to establish standing to sue in federal court). Following the Rosenbach decision, the number of BIPA class actions is bound to increase.  

Texas and Washington have also enacted statutes regulating the processing of biometric information but they are more limited in scope and lack a private cause of action.  In addition, at least six other states are considering legislation regulating processing of biometric information. Notably, some of these proposals are similar to BIPA; and, the legislation pending in Florida, Massachusetts, New York, Michigan, and Alaska provide for a private cause of action.  Furthermore, under the California Consumer Privacy Act, a breach of biometric information currently would not give rise to a data breach lawsuit.  A pending bill would change that by expanding a pertinent definition of “personal information” to include biometrics, such as such as a fingerprint, retina, and iris image.  

Another notable development has been the states including biometric data in the definition of “personal information” in their breach notification laws.  Just over the past month, Washington and Arkansas expanded the scope of “personal information” in their statutes to include biometric data.  

Although the processing of biometric data remains largely unregulated in the United States, this is a constantly evolving regulatory and legal landscape.  In light of the Illinois Supreme Court’s ruling in Rosenbach, companies collecting and using biometric data will likely face significant litigation exposure in states where statutes similar to BIPA are soon enacted. Companies that process biometric data should not only carefully monitor regulatory developments in their respective jurisdictions, but take a cue from the GDPR and proactively assess the necessity and proportionality of their biometric data processing, corresponding risks, as well as measures to address those risks.  In privacy and security, luck favors the prepared!

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.