The risks of biometrics non-compliance
A special subset of PII is biometric data – information revealing a person’s unique physical or behavioral characteristics, such as fingerprints, DNA, retinas, handprints, voiceprints, facial geometry, physical descriptions (re: height, weight, tattoos, etc.), written signatures, and demographic data. What makes biometrics “special” is that it cannot (or cannot easily) be changed. Once a piece of biometric data is compromised, the person has little or no chance of regaining control over such data.
Illinois was a leader in developing a comprehensive statute to address the protection of biometric information. The Illinois Biometric Information Privacy Act (BIPA) was passed 11 years ago, though until fairly recently, it seems that people had taken little note of it. Many other states are now modeling their biometrics legislation on BIPA. BIPA imposes restrictions on businesses that collect or otherwise use biometrics. Notable requirements include obtaining written consent from individuals before obtaining their biometric data and disclosing their policies for usage and retention.
One significant reason that people are paying more attention to biometric data regulations is that lawsuits are on the rise, many against well-known companies. Perhaps the most significant decision under BIPA is the Illinois Supreme Court’s January 2019 decision in Rosenbach v. Six Flags Entertainment Corporation. The Court held that a plaintiff may receive statutory damages and injunctive relief under BIPA without demonstrating actual injury or adverse effect; a showing that the plaintiff’s rights under BIPA have been violated is sufficient. This decision has already influenced many other state courts, at the trial and appellate levels. However, in federal courts, plaintiffs need to show more than “bare procedural violation” of a statute to satisfy the “concrete injury” requirements of federal law.
Of even greater concern for companies, class action lawsuits alleging BIPA violations are also on the rise. Amazon Web Services has been one notable target. The allegations against AWS include its failure to establish a policy that specified the parameters for biometric data retention and destruction and failing to obtain plaintiffs’ written consent before storing their biometric data. Statutory damages can quickly add up in the class action context: $5,000 in statutory damages for each willful or reckless violation or actual damages, whichever is greater, and $1,000 in statutory damages for each negligent violation or actual damages, whichever is greater.