Biometric privacy continues to be a hot-button topic in the United States, and internationally, with states continuing to join the wave of strict consumer biometric data protection laws.  In an effort to avoid costly class action litigation as the country begins to reopen following the COVID-19 pandemic, businesses should be mindful of the potential risks when implementing consumer-related biometric policies and procedures.

What Is Biometric Data?

Generally, biometric data are physical characteristics that can be used to digitally identify a person.  Physiological biometrics pertain to the body and include DNA, retinal scans, fingerprints or other characteristics such as the shape of a person’s hand or face or the sound of their voice.  For example, lawsuits premised on the capture of physiological biometric data have included the use of facial recognition at stores, entrances to businesses and facilities, or on websites, or the use of finger print identification (often, but not always, in employment context).

In addition, some states, such as California, have expanded biometric information to also include behavioral characteristics, which encompass a person’s specific movements and actions or even thought-patterns.

Current Biometric Privacy Laws

Prior to 2018, only three states had biometric privacy laws: Illinois, Texas and Washington, and today, that number has nearly tripled.  Among those three states, only the Illinois’ Biometric and Information Privacy Act (BIPA, 740 ILCS 14/) provided for a private right of action, which has made it very attractive to the plaintiffs’ bar.  In fact, between 2018 and 2019, there were over 200 BIPA class action complaints filed across the United States.

In 2018, Louisiana amended its Data Breach Security Notification Law (Louisiana Revised Statutes 51:3071, et seq.) by expanding the definition of personal information to include biometric data and requiring notice to affected Louisiana residents within 60 days.  It further amended the breach notification law to impose data security and destruction requirements on covered entities, which broadly includes any person that conducts business in the state.  While the Louisiana Attorney General is currently the primary enforcer of data breach laws, private rights of action are permitted, which at the time, made it the second state to provide for such recourse.  In 2019, Arkansas also jumped on the biometric bandwagon and expanded the scope of “personal information” in its Personal Information Protection Act (PIPA) to include biometric data which is defined as data that is “generated by automatic measurements of an individual’s biological characteristics.”

On January 1, 2020, both California and Oregon’s biometric privacy laws went into effect.  California’s Consumer Privacy Act (CCPA, Sec. 1798.100) creates proactive notice, consent, and deletion obligations, among others, depending on how the personal information is used.  Notably, personal information under the CCPA is broadly expanded beyond a consumer’s biometric information and includes a consumer’s “internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”  Given the CCPA’s broad definition and reach, lawsuits under the act could expectedly surpass BIPA in short time.  Note, however, that while BIPA broadly provides for a private right of action for any person “aggrieved” by a violation of the act, the CCPA only provides consumers with a limited private right of action, specifically, when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.”

Oregon amended its Consumer Information Protection Act (OCIPA, ORS 646A-600, et seq.), effective January 1, 2020, to follow the national trend of expanding laws beyond mere “identity theft protection,” to focus on larger scale consumer privacy and data rights, which now includes protections for biometric data.  Personal information under the act now includes automatic measurements of a consumer’s physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction.

Finally, just as the COVID pandemic halted the nation, New York moved forward with its final phase of enacting its own biometric privacy law.  On March 21, 2020, New York completed its enactment of the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).  The SHIELD Act was split into two phases: the first phase broadened the current notification requirements for data breaches (effective October 23, 2019) and the second phase requires businesses to put reasonable measures in place to protect information (effective March 21, 2020).  The Act revised New York’s 2005 breach notification law to include biometric information to its definition of personal information and requires businesses that maintain New York residents’ personal information to include protections for biometric data when developing and implementing reasonable safeguards as required by the act. The SHIELD Act also provides for a limited private right of action.  As with the CCPA, the SHIELD Act is very new and untested, and therefore, businesses are encouraged to ensure compliance with these new laws (and previously existing laws) before implementing any consumer-based biometric policies.

Pending Biometric Privacy Laws

Aside from the eight states discussed above, another eleven states have proposed biometric privacy laws over the past few years.  Of those eleven states, Michigan, Alaska, Delaware, Florida, New Hampshire, Montana and Rhode Island have all introduced biometric privacy legislation since 2017, however, each have since died in committee or chamber.  Though no biometric privacy legislation has been passed in New Jersey, the state attempted to pioneer biometric regulation with a proposed bill back in 2002, six years before biometric privacy legislation was first passed in the United States. Currently, only Massachusetts, Hawaii and Arizona have pending biometric privacy legislation.

Post-COVID Concerns for Consumer-Based Businesses

As businesses adjust to the new “norms” following COVID-19, they will likely explore policies and procedures that aim to minimize consumer interaction and protect its invitees and customers from potential exposure to the virus.  While these policies are sure to give both the consumers and employees a feeling of comfort, such policies could be far more costly than expected if the proper measures are not taken beforehand.

One solution that businesses have been exploring is the implementation of contactless infrared facial scanning at the entrances of store fronts to scan a consumer’s temperature.  However, this sort of policy, if unconsented, likely violates biometric privacy laws because, for example, BIPA prohibits unconsented capturing of “biometric identifiers,” which includes a “scan of … face geometry.”  While the intended capture of data is the consumer’s temperature, which is not covered under the law, it would nonetheless capture the consumer’s facial geometry, which is.  As discussed above, many of the recent biometric laws, and proposed legislation, gets its roots from BIPA, which means that contactless infrared temperature scanning would likely violate several other biometric privacy laws across the country.  Therefore, such a strategy would require notice and consent to comply with the act.

As recent as April 2020, it was announced that certain amusement parks would be conducting temperature checks at its security checkpoints to avoid any potential COVID outbreaks among its customers.  While it is unclear what type of protocols will be implemented, there are reports that companies are exploring everything from handheld temperature checks to drone technology, and everything in between, including facial scanning.  As businesses begin to implement policies to enhance consumer safety following the COVID-19 outbreak, some policies will undoubtedly be challenged in the courts and shape the development of biometric privacy laws across the country.

The idea of capturing a consumer’s facial geometry is not new for COVID-19, rather, it was also used as early as 2017 to provide for faster food service.  In September 2017, restaurant chain Wow Bao was sued in Cook County, Illinois over its use of facial recognition technology to verify customers’ orders.  The complaint alleges that Wow Bao failed to obtain consent prior to capturing and storing customers’ biometric information.  This case is still pending, but decisions in this case will likely guide any future litigation or potential litigation as retailers and businesses start to put new policies in place.

Following the practices below will be more important than ever since the landscape of biometric laws continue to evolve and related lawsuits gain traction in the court systems.  As these laws are tested in the courts, we learn the strengths and dangers that these laws bear on businesses.  Further pursuit of these lawsuits recently became more attractive with the Illinois Supreme Court’s January 2019 decision finding that a “violation [of BIPA], in itself, is sufficient to support the individual’s or customer’s statutory cause of action.”  Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 33.

Best Practices

Businesses are encouraged to review and revise contacts and terms of conditions in order to cover new biometric privacy laws and developments in the existing laws.  Revising terms and conditions recently proved to be beneficial for Shutterfly who, in 2019, was sued in Illinois by two consumers, alleging that Shutterfly illegally collected face scans of Chicago-area residents without adhering to BIPA regulations.  (Vernita Miracle-Pond, et al. v. Shutterfly Inc., N.D. Ill. Case. No. 19-cv-04722).  The court held that a Shutterfly user must arbitrate the accusations of the complaint even though Shutterfly unilaterally amended its arbitration clause after the lawsuit was filed.  (2020 WL 2513099).  The key factor in the court’s decision was that Shutterfly users consent to unilateral modifications of the terms of use.  (Id. at *6).  The court rejected plaintiff’s argument that a new arbitration provision was ineffective because she did not receive notice and held: “[o]n the contrary, when parties agree in advance to allow unilateral modifications to the terms of their contract, subsequent modifications are binding regardless of whether the other party later ‘accepts’ the change.”  (Id.)

In order to ensure compliance with the growing landscape of biometric privacy laws, businesses should consult with experts before implementing any post-COVID procedures which may collect personal and physiological information about consumers, its customers or invitees.  If a business chooses to proceed with collection of biometric data, it should, at a minimum, adhere to the practices below:

  1. Develop and provide notice to consumers that covers information relating to capturing of biometric data, including the type of technology being used, the purpose for capturing the data, how the data will be captured, and how the data is being stored;
  2. Obtain consent from the consumer for collection and storage of biometric data, where applicable by law;
  3. Take steps to ensure that neither the business nor any vendor storing biometric data on the business’s behalf sells or discloses the data;
  4. Implement security protocols for the protection of biometric data; and
  5. Have appropriate provisions in vendor contracts ensuring they comply with existing laws and that the business may retain the right to request information and have the right to be notified in the event of a suspected breach.