Facebook’s significant settlement could incite future class action lawsuits, further emphasizing the need for companies to comply with biometric privacy laws.
By Billee Elliott McAuliffe, Member, Lewis Rice
Thanks to a class-action suit filed against Facebook under the Illinois Biometric Information Privacy Act (BIPA), Facebook users in Illinois may receive part of a $550 million settlement. The settlement compensates users for Facebook’s utilization of facial recognition technology known as “tagging” without the user’s consent. If approved by the California district court, this settlement could spur others to bring similar lawsuits, putting businesses throughout the country at risk.
So, what are biometrics and biometric privacy? Biometrics is the measurement and analysis of unique physical or behavioral characteristics, such as fingerprints or voice patterns, especially as a means of verifying personal identity. Hence, biometric privacy is an individual’s right to keep his or her biometric information private and to control how that information is collected and used by third parties.
Biometric privacy laws, including BIPA, are like many new privacy laws that have promulgated over the last few years. All are informed consent laws, which generally require third parties gathering the biometric data, including fingerprints, facial scans, retina scans, DNA, gait analysis or voice recordings, to provide notice of their collection and use, the reason for the use, and how the data will be destroyed. Additionally, third parties must obtain permission from individuals to use their biometric information. Failure to provide both notice and control could result in liability for the data collector and users.
In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled the mere failure to comply with statutory requirements of BIPA by any entity that collects, maintains, stores, or transfers biometric data is enough injury to allow the affected consumers to sue for damages and injunctive relief. This means no data breach, wrongful disclosure, or actual injury to the consumer is required for a business to be subject to civil liability under BIPA.
To avoid potential liability, all businesses handling information subject to BIPA should review their policies, procedures, and methods for collecting, using, storing, and protecting biometric data.
And it is not just Illinois companies that need to comply. In Patel v. Facebook, the case resulting in the $550 million settlement, Facebook argued that if any BIPA violations did occur, they did not primarily occur in Illinois, as Facebook’s servers are located in California. However, the California federal district court hearing the case disagreed, suggesting that a consumer’s mere use of Facebook in the State of Illinois was enough to make BIPA applicable. This extraterritorial holding in Patel, along with Rosenbach’s ruling that statutory non-compliance is sufficient injury to bring suit, means all entities must be aware of these laws and the restrictions on the use of biometrics.
In order to ensure compliance with BIPA, every business should audit its operations to understand if it collects or uses any biometric data through systems such as time clocks that require fingerprints, security access systems utilizing palm prints or facial recognition, or even surveys gathering biometric data for a wellness program. If your business does collect or use biometric information, then it must determine whether it is protected under any biometric privacy law.
While Illinois’ BIPA was the first and remains the most robust, Texas and Washington also have specific biometric privacy statutes. Additionally, many states include biometric information within their data breach notifications and other privacy and employee protection statutes. Certain biometric data is also protected under the federal Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Fair Credit Reporting Act (FCRA), which imposes requirements and restrictions on employers conducting background checks.
Unfortunately, as with many other privacy laws, the types of biometrics that are protected and the requirements that must be implemented are different under each law. Therefore, understanding what is protected and the steps that must be taken to ensure full compliance may require a consultation with legal counsel.
After the business has determined what laws apply and the requirements of those laws, it will need to review and appropriately revise its policies, procedures, and methods of collecting, using, storing and protecting biometric information. Generally, revisions include giving notice to individuals, obtaining their consent for the collection and use of their data, and including documented retention schedules and guidelines for the destruction of the information.
The Facebook settlement shows that failure to comply with biometric privacy laws can result in substantial liability for companies. Under Illinois’ BIPA, individuals can receive more than $1,000 for negligent violations or $5,000 for intentional violations. Under Texas’ Capture or Use of Biometric Identifier Act (CUBI), violations could result in civil penalties of up to $25,000 per violation. In Washington, the attorney general has the right to seek up to $500,000.
Because these lawsuits can be quite costly, businesses must review the information they collect and determine if any actions need to be taken to comply with biometric privacy laws. If they don’t, they may get “tagged” like Facebook.
About the Author
Billee Elliott McAuliffe is a member of Lewis Rice practicing in the firm’s corporate department. Although she focuses on information technology, Billee also has extensive experience in corporate law, including technology licensing, cybersecurity and data privacy, and mergers and acquisitions. She is a member of the American Bar Association and the Bar Association of Metropolitan St. Louis. Billee can be reached online at firstname.lastname@example.org and at https://www.lewisrice.com/.