The Evolution of Biometric Data Privacy Laws
November 4, 2021
As states and localities enact more robust laws related to data privacy and security, biometric privacy is front-of-mind for both legislators and businesses. An increase in biometric privacy class action lawsuits, an uptick in proposed legislation, and widespread criticism of facial recognition technologies suggest that biometrics will remain a hot topic for legal professionals.
[Bloomberg Law provides guidance that empowers practitioners to take decisive action amid fast-paced changes to privacy laws. Learn about our privacy and data security tools and resources.]
What is biometric data?
Biometrics are measurements related to a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial, retinal, or iris measurements, and more. A person’s biometric data – their specific measurements – can be used as unique identifiers.
As tools to collect biometric data become more advanced and increasingly employed, laws like the Illinois Biometric Information Privacy Act (BIPA) are being introduced and considered to prevent private entities from collecting biometric information without disclosure and consent.
Subscribers Only: Biometrics In Focus
Learn more about the biometric data privacy laws currently in place, track the latest state legislative action, read news and analysis about related lawsuits and court rulings, and more.
The Illinois Biometric Information Privacy Act (BIPA)
In 2008, Illinois became the first state to enact a biometric data privacy law. The law requires entities that use and store biometric identifiers to comply with certain requirements and provides a private right of action for recovering statutory damages when they do not.
BIPA specifies that “[b]iometrics are unlike other unique identifiers that are used to access finances or other sensitive information. For example, social security numbers, when compromised, can be changed. Biometrics, however, are biologically unique to the individual; therefore, once compromised, the individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from biometric-facilitated transactions.”
BIPA also states that, for the purposes of the act, a “‘biometric identifier’” means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
The U.S. Court of Appeals for the Seventh Circuit clarified the federal standing requirements for claims brought pursuant to BIPA.
Prominent BIPA Lawsuits
A decade after its enactment, several recent cases have put BIPA in the headlines and made it easier to file BIPA suits.
First, in 2019, the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp. held that a plaintiff can be considered an “aggrieved person” under the statute and “be entitled to liquidated damages and injunctive relief” without alleging an actual injury. Then, in May 2020, the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Group USA, Inc. clarified that such a person has suffered an injury-in-fact sufficient to support standing under BIPA Section 15(b).
Also in 2020, the Facebook BIPA class action lawsuit Patel v. Facebook, Inc. reached a conclusion when Facebook agreed to a $650 million settlement, one of the largest consumer privacy settlements in U.S. history, to resolve claims it collected user biometric data without consent.
According to Bloomberg Law Dockets, only about 10 federal complaints in 2018 alleged a BIPA claim. In 2019, that more than doubled to 28. And in 2020, more than 80 federal complaints alleged BIPA violations.
[From GDPR to CPRA and beyond, practitioners can count on Bloomberg law to keep them up to date on the latest privacy and data security developments. Learn more.]
Download: The Essential General Counsel Toolkit
This comprehensive collection of expert-drafted Practical Guidance covers hot topics such as privacy laws, cybersecurity, ESG concerns, and more.
Which other states have biometric privacy laws?
Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action. Still, other states like Arizona and New York have enacted tailored biometric privacy measures, and many more have enacted law specifically targeting the use of facial recognition technology.
Find answers to many of the most common questions about the CCPA and CPRA, covering enforcement, the rights provided to consumers, and who must comply.
Compare Illinois, Texas, and Washington Biometric Privacy Statutes
Is there potential for a national biometric privacy law?
In August 2020, Senators Jeff Merkley (D-Ore.) and Bernie Sanders (I-Vt.) introduced the National Biometric Information Privacy Act of 2020, which would impose nationwide requirements similar to those in BIPA.
It also contains several requirements that go beyond BIPA, including purpose limitations, the implementation of a “right to know” (similar to that found in the California Consumer Privacy Act of 2018 or CCPA), and a ban on the use of biometric data for advertising purposes.
If prior attempts at enacting federal privacy legislation are any indication, the act will face an uphill battle in garnering enough votes to become law. That being said, its introduction indicates increased pressure for uniform, consistent privacy regulation.
Subscribers Only: Taking the Pulse of Biometric Privacy
This professional perspective summarizes the current biometric privacy landscape and offers predictions on future trends in legislation and litigation.
Legal Research and Practice Tools:
With evolving and emerging technologies come new risks and responsibilities. Bloomberg Law’s essential news, expert analysis, and practice tools will help you stay ahead of privacy and data security developments and protect your business.
Access to this information requires a subscription to Bloomberg Law. Don’t have access? Request a demo.