You can hardly pick up a smartphone these days without reading about — and experiencing — how biometric authentication technology is changing our lives and businesses.
Finger and facial recognition have become so commonplace that you might not think twice before asking your employees to authenticate their time using similar technologies, especially because traditional punchcard systems can be inefficient and vulnerable to fraud or abuse.
But a recent spike in litigation illustrates the legal risks to introducing biometric authentication devices and practices to your business. More than 50 companies are now defending class-action lawsuits under the Illinois Biometric Information Privacy Act, or BIPA, which provides rules for the disclosure, retention and protection of biometric data, and permits any person aggrieved by a violation to recover $1,000 for each negligent violation and $5,000 for each intentional violation.
Texas and Washington have passed similar laws, and New York has a labor law governing the collection of biometric information, but unlike BIPA they do not create an individual right to sue.
BIPA governs “biometric identifiers” and “biometric information.” Biometric identifier means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Biometric information means “any information … based on an individual’s biometric identifier used to identify an individual.”
To comply with BIPA, companies that collect or possess biometric identifiers or information must satisfy six statutory provisions.
- Written policy. Companies must have a policy, “made available to the public,” that describes their retention schedule and guidelines for permanently destroying the biometric data it handles. Importantly, the policy must provide for the destruction of a person’s biometrics at the earlier of (a) when the company’s initial purpose for collecting that information has been satisfied; or (b) within three years of the person’s last interaction with the company.
- Written notice. Companies must provide written notice to each person whose biometrics it handles, stating (a) that it is collecting/storing their biometrics; and (b) the specific purpose and length of term for the collection, storage and use.
- Written release. Companies must obtain a “written release” from each person whose biometrics will be handled.
- Consent to disclose. Companies that disclose biometrics to third parties must, in most circumstances, obtain consent to do so.
- Companies must store, transmit and protect the biometrics it handles in a manner that is both reasonable and commensurate with the protection it affords similarly confidential and sensitive information.
- Do not use biometrics for profit. Companies must never sell, lease, trade or “otherwise profit from” the biometrics it handles.
Courts Interpreting BIPA
Though BIPA was enacted in 2008, it was not the subject of litigation until the past few years, and the most dramatic uptick in filings occurred in late 2017. The majority of those actions involve the same basic factual situation: a current or former employee is suing because they scanned their finger to clock in and out of work.
But the most important BIPA case so far, decided Dec. 21, has a slightly different context. In Rosenbach v. Six Flags, the plaintiff, Stacy Rosenbach, sued Six Flags Entertainment Corp. and Great America LLC under BIPA for scanning her son’s fingerprints to verify his identity as a season pass holder. The Illinois Appellate Court ruled that a plaintiff “must allege some actual harm” to sue under BIPA, adding that “[i]f a person alleges only a technical violation of [BIPA] without alleging any injury or adverse effect, then he or she is not aggrieved and may not recover[.]”
The Illinois Appellate Court’s ruling makes sense. First, looking to BIPA’s language, only a “person aggrieved” is permitted to sue, strongly indicating that a plaintiff must allege an actual injury. Second, from a practical perspective, the vast majority of plaintiffs acknowledge voluntarily scanning their own fingers. Even so, this decision is poised to have far-reaching implications, and it seems likely that the authoritative interpretation of “person aggrieved” will ultimately come from a future decision of the Illinois Supreme Court.
With all this in mind, what can you do to minimize the risk and expense that biometric privacy class actions pose to your business?
First, determine whether any biometric privacy laws apply to your business. This may require consulting with an attorney familiar with biometric privacy laws and professionals who understand your underlying technologies. Even if your business does not collect biometric data from Illinois, Washington, Texas or New York residents, consider whether it might in the future or whether similar laws may be adopted in applicable jurisdictions (Michigan and Connecticut are considering similar laws). Second, if biometric privacy laws apply, understand the requirements and get into compliance. Regardless of whether you have been sued, you will need to determine whether your existing policies and practices satisfy some or all of the biometric privacy legal requirements. For those policies and practices that are noncompliant, you will need to design and implement new ones. Finally, if you have been sued, then in addition to assessing and remediating compliance issues, your attorney will need to consider employing certain strategies inherent in these cases with the potential to reduce litigation costs and increase your chance of success.
The recent spate of BIPA lawsuits represents a coordinated effort by the plaintiff’s bar to catch corporate legal departments off guard. Nevertheless, it is less likely an anomaly than a sign of things to come as biometric technologies continue to pervade our personal and business lives. Companies would do well to assess their technological and legal options and vulnerabilities now and to maintain vigilance over this emerging field in the future.
Anna S. Knight is administrative managing partner and Patrick J. Castle is an attorney with Shook, Hardy & Bacon in Chicago. Comment below or email email@example.com.