In an effort to improve data security, many banking and retail companies have begun using biometric data, such as fingerprints and other physical features, as high-tech replacements for passwords. In view of these efforts, state legislatures have passed biometric privacy laws that are intended to govern the use of – and prevent the misuse of – this data.
While the state laws governing the use of biometric data are well-intentioned, these laws create a significant risk of liability for all companies that collect biometric data, including those that use biometric data for internal purposes and for purposes wholly unrelated to security. For example, the Illinois Biometric Information Privacy Act (BIPA) requires all private entities in the possession of “biometric identifiers” (including retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry) to develop written, public policies concerning the use, retention, and destruction of biometric identifiers. In addition, BIPA prohibits the collection, capture, purchase, receipt through trade, or other acquisition of a person’s biometric information without first obtaining an informed release from that person. Those aggrieved by a violation of BIPA can obtain liquidated damages in the amount of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.
The broad sweep of BIPA, coupled with the statutory damages provision, has resulted in a rush of class action lawsuits alleging violations of BIPA by a range of businesses, from tanning salons to Google. And a California federal court recently certified a class in one of those lawsuits, In re Facebook Biometric Information Privacy Litigation, holding that the individual members of the class were entitled to recover statutory damages under BIPA even if they could not establish any individual injuries.
As In re Facebook demonstrates, state laws governing the use of biometric data can and will substantially impact companies across the nation. Those that collect and use biometric data face the difficult task of complying with a complex web of regulations governing the use of that data, a task that will become more difficult as additional states enact biometric privacy and other data privacy laws. Companies that collect and use data gathered from their employees and customers should take note of the risks associated with the use of that data, and should begin taking steps to minimize those risks, including enacting written policies governing the use of biometric data, obtaining consent prior to the collection and use of biometric data (even if the use is not commercial in nature), and monitoring legislation at the state and federal level to ensure continued compliance with all new and existing laws governing biometric data usage.