Biometric data, once a science fiction trope, has become a huge risk for businesses that run afoul of laws dictating the use of fingerprint scans, facial recognition software and other, similar tools.
Not surprisingly, it also has become a gold mine for law firms that specialize in filing class actions.
From unlocking our smartphones with our fingerprints to using facial recognition for security systems, biometric data is firmly entrenched in our digital ecosystem. The handling of this data, and the potential violations of privacy, have led to an upsurge in class-action lawsuits, especially in the U.S.
The Birth of BIPA: A Trailblazer in Biometric Data Legislation
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, was one of the earliest legislative efforts to tackle the commercial collection of biometric data. The law covered various types of data, including iris scans, fingerprints, voiceprints, and scans of hand or face geometry.
BIPA set the stage by establishing a comprehensive set of privacy protections, which included a requirement that companies obtain their customers’ informed consent before they could collect their biometric data.
The law imposed a penalty of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation of the act.
At first, companies were relatively unaffected by BIPA. However, the landscape changed dramatically in 2019, when the Illinois Supreme Court ruled in Rosenbach vs. Six Flags Entertainment Corp. that a plaintiff could be considered an “aggrieved person” under BIPA without needing to prove an actual injury.
The Wave of Lawsuits: BIPA and Big Tech
This ruling meant that damages were presumed in the case of a BIPA violation, whether a tangible or monetary injury to the party existed or not. Predictably, this decision led to a significant surge in BIPA lawsuits.
One notable case was a class-action against Facebook in 2020, where the social media giant was accused of collecting biometric data without users’ consent. Facebook eventually agreed to a $650 million settlement, marking one of the largest consumer privacy settlements in U.S. history.
Most recently, TikTok’s parent company, ByteDance Ltd., agreed to pay $92 million to settle a class-action lawsuit relating to data privacy claims.
While smaller, another Illinois case that drew headlines involved sandwich shop chain Pret a Manger. The company agreed to pay more than $677,000 to resolve a class-action claim alleging that nearly 800 of its employees’ fingerprints were collected and stored via its time-keeping system without first providing notice to the employees.
The Spread of Biometric Legislation
While Illinois remains the only state with comprehensive biometric privacy laws in place, other states have taken note. California, for example, has the California Consumer Privacy Right Act (CCPA) and the California Privacy Rights Act (CPRA), both of which provide protection for personal information, including biometric data.
California also established a regulatory agency dedicated to enforcing data privacy laws.
Several other states, including New York, Massachusetts, and Maryland, have introduced similar biometric legislation.
These legal developments serve as a clear signal for businesses to reassess their handling of consumer data. Businesses that fail to comply with these laws can expect to face substantial penalties, underscoring the need to take privacy considerations seriously.
Steering Clear of Biometric Lawsuits
Here are some guidelines that companies can consider to better protect themselves against biometric violation lawsuits:
- Understand and Comply with Relevant Laws: The first step to avoiding biometric violation lawsuits is understanding the laws and regulations regarding biometrics. These include BIPA in Illinois, CCPA in California, and similar laws in other states. It's also important to note that some states might have stricter laws than others. For example, BIPA allows individuals to sue for statutory damages without alleging actual harm, making it stricter than many similar laws.
- Implement Proper Policies and Procedures: To protect themselves, companies should implement clear policies and procedures regarding biometric data collection, storage, and use. These policies should cover consent, disclosure, data retention and destruction, and security measures.
- Secure Informed Consent: Before collecting, storing, or using any biometric data, companies should obtain informed consent from the individuals involved. This typically involves providing clear, written information about what data will be collected, how it will be used, who will have access to it, how it will be stored and protected, and how long it will be kept. It also involves obtaining a signed acknowledgment or agreement from the individual.
- Limit Data Collection, Storage, and Use: Companies should only collect, store, and use the minimum amount of biometric data necessary for their purposes. They should also limit the length of time they keep this data and ensure it is securely destroyed when no longer needed.
- Implement Strong Security Measures: Biometric data is sensitive and can be a target for cyberattacks, so companies should implement strong security measures. This could include encryption, secure storage solutions, regular security audits, and training for employees on data security best practices.
BIPA and the lawsuits it has thus far spawned are just the beginning. Biometric data privacy legislation will undoubtedly pass in more states and more class actions are likely to follow. But, by taking these steps, companies can greatly reduce their risk of biometric violation lawsuits, while also respecting the privacy and security of the individuals whose data they handle.
The Mahoney Group, based in Mesa, Ariz., is one of the largest independent insurance and employee benefits brokerages in the U.S. An employee-owned organization, we’ve been providing our clients with the confidence to face whatever lies ahead for more than 100 years. For more information, contact us online or call 877-440-3304.
This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.