The risks of biometrics non-compliance

Most companies are aware of issues concerning how they use and handle “personally identifiable information” (PII) of their customers. In general, web-based businesses (which is to say, nearly all businesses) disclose their uses of PII with some specificity in their privacy policies and terms of use (goodcounsel is often called up to draft these for its clients). PII in the healthcare context is tightly regulated under the Health Insurance Portability and Accountability Act, and the use of PII more generally by the Internet giants has come under increased scrutiny in the last two years.

A special subset of PII is biometric data – information revealing a person’s unique physical or behavioral characteristics, such as fingerprints, DNA, retinas, handprints, voiceprints, facial geometry, physical descriptions (re: height, weight, tattoos, etc.), written signatures, and demographic data. What makes biometrics “special” is that it cannot (or cannot easily) be changed. Once a piece of biometric data is compromised, the person has little or no chance of regaining control over such data.

Illinois was a leader in developing a comprehensive statute to address the protection of biometric information. The Illinois Biometric Information Privacy Act (BIPA) was passed 11 years ago, though until fairly recently, it seems that people had taken little note of it. Many other states are now modeling their biometrics legislation on BIPA. BIPA imposes restrictions on businesses that collect or otherwise use biometrics. Notable requirements include obtaining written consent from individuals before obtaining their biometric data and disclosing their policies for usage and retention.

One significant reason that people are paying more attention to biometric data regulations is that lawsuits are on the rise, many against well-known companies. Perhaps the most significant decision under BIPA is the Illinois Supreme Court’s January 2019 decision in Rosenbach v. Six Flags Entertainment Corporation. The Court held that a plaintiff may receive statutory damages and injunctive relief under BIPA without demonstrating actual injury or adverse effect; a showing that the plaintiff’s rights under BIPA have been violated is sufficient. This decision has already influenced many other state courts, at the trial and appellate levels. However, in federal courts, plaintiffs need to show more than “bare procedural violation” of a statute to satisfy the “concrete injury” requirements of federal law.

Of even greater concern for companies, class action lawsuits alleging BIPA violations are also on the rise. Amazon Web Services has been one notable target. The allegations against AWS include its failure to establish a policy that specified the parameters for biometric data retention and destruction and failing to obtain plaintiffs’ written consent before storing their biometric data. Statutory damages can quickly add up in the class action context: $5,000 in statutory damages for each willful or reckless violation or actual damages, whichever is greater, and $1,000 in statutory damages for each negligent violation or actual damages, whichever is greater.

If your company collects biometric data, consider whether your privacy policy and terms of use reflect actual practices with respect to biometrics, and whether obtaining a written release to such practices is needed. If you need any guidance in updating these documents, we are just a click away.


Categorised as: Biometrics non-compliance, Legal Issues