Home » Commentary » Commentary: Businesses beware of biometric privacy laws

Commentary: Businesses beware of biometric privacy laws

Technology is constantly evolving, powerful, and has become a digital storage locker for most of our personal and professional information, which necessitates more security of biometric data. Although you may not be aware, if you have ever used your fingerprint or facial recognition to access your cell phone, you have already participated in biometric data collection. Just as individuals want their fingerprint and facial recognition safe from identity theft or other violations of personal information, businesses should be safeguarding the use of such data. As more states contemplate and implement data protection laws, businesses must act quickly to navigate this uncharted territory.

Biometric data protection laws regulate the collection, use, storage, dissemination and destruction of biometric information, including identifiers such as fingerprints, palm prints, voice recognition, facial-geometry recognition, retina scans, iris scans, DNA recognition, gait recognition and even scent recognition.

Currently, no federal law regulates the biometric identifiers that can be used to digitally identify a person. Various legislators have supported and lobbied for a National Biometric Information Privacy Act (NBIPA), though NBIPA has gained very little traction. Several states, however, have implemented statutory schemes to govern and protect biometric data, including Illinois, Texas, Washington, California, New York and Arkansas.

Illinois is a pioneer in biometric data privacy. In 2008, Illinois enacted The Biometric Information Privacy Act (BIPA), which was one of the first state laws to address businesses’ collection and use of biometric data. BIPA’s comprehensive set of rules has key requirements for businesses operating in Illinois, including informed consent as well as protection and retention guidelines.

BIPA can be very penalizing. It provides statutory damages up to $1,000 for each negligent violation, and up to $5,000 for each intentional or reckless violation; a question remains for the courts to decide whether these monetary penalties are per transaction (i.e., per fingerprint scan) or per person, the former being devastating to small businesses who violate the act.

Missouri laws do not currently address biometric data privacy. However, as trends of digitalization continue, more states will adopt statutory schemes to protect individuals’ biometric data.

Businesses that collect or use biometric data should implement comprehensive data privacy and protection measures sooner rather than later, regardless of where they operate and do business.

Best practices and recommendations

The biometric data landscape is evolving and full of potential liability. Accordingly, businesses should establish a plan and safeguards to ensure compliance with the appropriate federal data security laws (particularly the Federal Trade Commission Act, Section 5) and existing state laws when using, collecting, storing, disseminating or destroying biometric data. Recommendations for businesses to consider are:

Provide notice to employees and customers before collecting, using, storing or disseminating biometric information. The notice should specify the type of data being collected, the use, who it will be shared with and the purpose, how long it will be stored, where it will be stored, and how it will be deleted when appropriate. It is important that you use, share and disclose biometric data only as set forth in your notice.

Obtain consent from customers and employees before collecting biometric information.

Obtain a release from all employees for biometric information already collected, stored or used.

Allow individuals to opt out of biometric data collection.

Avoid using or selling biometric data for commercial benefit.

Store biometric data securely and only for as long as needed.

Develop policies and procedures concerning a) the destruction of biometric information when such information no longer needed, and b) potential data breaches.

Given the growing use of biometric data by companies and the increased demand for privacy protection, it is imperative for businesses to adopt security measures to protect individuals’ rights.

Jordan R. Lewis is an attorney in the litigation practice at Carmody MacDonald in St. Louis. He has experience representing business clients in claims related to cybersecurity and consumer privacy, including claims under the Illinois Biometric Information Privacy Act. Contact Jordan at [email protected] or 314-854-8634. This column is for informational purposes only. Nothing herein should be treated as legal advice or as creating an attorney-client relationship. The choice of a lawyer is an important decision and should not be based solely on advertisements.


Current state of biometric privacy laws

Illinois: The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 et seq., was the first act to address biometric data. Under BIPA, private entities that utilize biometric information must have a written policy regarding the collection, retention and destruction of biometric information. BIPA requires advance disclosure and a written release from those (customer or employee) whose information is going to be collected or used. Note, BIPA can be very penalizing. The act allows for private causes of action, unlike other states, and a $1,000 penalty for each negligent violation or a $5,000 penalty for each willful or reckless violation, as well as attorneys’ fees.

New York: New York amended its existing data-breach notification laws with its 2019 Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The SHIELD Act broadens the definition of private information to include biometric information. It defines biometric information to include fingerprints, voiceprints, retina or iris images, or other unique physical characteristics. Interestingly, it also includes other forms of unique digital representation of biometric data used for authentication purposes. Earlier, New York also had passed a limited biometric law, N.Y. Lab. Law §201-a, which applies specifically in the employment context and prohibits fingerprinting “as a condition of securing employment or of continuing employment.” This act does not expressly provide for a private right of action.

California: California’s widely known California Consumer Privacy Act (CCPA) regulates biometric data by including it in the definition of personal information. CCPA defines biometric data very broadly to include “physiological, biological or behavioral characteristics, including … DNA[,] that can be used … to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Arkansas: Several months ago, Arkansas became the latest state to pass biometric-data legislation. Specifically, Arkansas amended its breach-response law, Arkansas Code §4-110-103(7), by revising the definition of covered personal information to now also include biometric data. It defined biometric data to include an individual’s “Fingerprints; Faceprint; A retinal or iris scan; Hand geometry; Voiceprint analysis; Deoxyribonucleic acid (DNA); or Any other unique biological characteristics.”