Biometric Technology: Putting a Finger on the Problem
Niya T. McCray, CIPP/US
An Overview
Biometric technology has revolutionized the way
clients conduct business, how consumers interact with products, and ultimately,
how lawyers are able to provide counsel. Biometric data, as defined by the
National Institute of Standards and Technology, is the measurement of
physiological characteristics like fingerprints, iris patterns, or facial
features used to identify an individual.[i] Biometric technology has become so commonplace in our daily lives that we often
take for granted its presence when unlocking our phones—fingerprint and facial
recognition—or yelling at Siri/Alexa to change the channel or remind us of a
task to complete later—voice recognition. There is a swell in the number of entities who
incorporate biometric data into their daily operations as tools to streamline
their systems, prevent timekeeping fraud, and improve the strength and
integrity of operational security.
Biometric
Legislation
As convenient and familiar as biometrics has become, its
presence is no greater felt than in the flood of legislation and litigation
arising from concerns over how this non-traditional data should be managed. The legislative horizon is murky, to say the
least. However, a few states—Illinois, Washington, and Texas—have blazed the
trail, creating comprehensive biometric data privacy legislation. As it stands, the states have taken dual
approaches. Some, like Delaware, New Jersey and North Carolina have amended
existing breach notification laws to include biometric data under sensitive
personal information; whereas, others, like Alaska, Montana, and Connecticut, believe
that biometric data warrants its own unique legislation.
Illinois’ Biometric Information Privacy Act (BIPA), the
first of its kind, was passed in 2008.[ii] The hallmark of BIPA is its private right of action, which has caused grief for
defendants both in and out of Illinois. Texas[iii] and Washington[iv] have
both followed in Illinois’ footsteps, carving out their own biometric statutes. Unlike Illinois, though, Texas and Washington
bypassed the private right of action, instead choosing to leave potential suits
to the discretion of the state Attorney Generals.
Biometric
Litigation
From early September 2017 through December 2017,
droves of entities—over fifty that we know of—were affected by the filing of
class action suits claiming violations of Illinois’ BIPA.[v] The majority of suits were brought by
employees alleging that the implementation of fingerprint scanning to
streamline employer timekeeping systems violated BIPA’s notice, consent, and
disclosure requirements. A few suits
were instituted by consumers against commercial entities, alleging that similar
biometric data—ranging from fingerprints to facial scans—were collected during
transactions in contravention of BIPA’s safeguards.
However, in a surprising turn of events, a December
ruling from the Illinois Appellate Court chilled the breadth of plaintiffs’
rights relative to BIPA’s private cause of action. In
Rosenbach v. Six Flags Entertainment Corp.,[vi]—currently
on appeal to the Illinois Supreme Court—the plaintiff alleged that defendant
failed to obtain verifiable written consent and to disclose its policies for
the collection, retention, and destruction of consumer biometric
data—fingerprints—in connection with season pass purchases.[vii] The plaintiff, however, did not allege any
actual injury, but rather claimed that if she had known of the defendant’s
practices, she would not have allowed her son to purchase the season pass. The Appellate Court honed in on the
“aggrieved by” language in BIPA’s remedy provision, Section 20, noting that
BIPA was silent as to the meaning of “aggrieved,” and looked to the plain
meaning of the term. Based on such plain
meaning, the Illinois court held that an “aggrieved” plaintiff under BIPA must
do more than allege a technical violation of the Act.
BIPA requires that there be “an actual injury, adverse
effect, or harm.”[viii] So, a defendant’s failure to provide notice or obtain consent from a plaintiff
prior to the collection of biometric identifiers, by itself, was not enough to
meet the “aggrieved” standard under the Act.
While the Rosenbach ruling is not dispositive of the future of
pending BIPA suits, it does suggest that plaintiffs may slow their rush to the
courthouse in favor of more creative litigation strategies that meet the
“aggrieved” standard as clarified in the case.
Although Rosenbach
is still being determined, In
re: Facebook Biometric Information Privacy Litigation & Gullen v. Facebook
Inc.,[ix] sheds additional light on the scope and extraterritorial reach of BIPA.[x] Specifically, Plaintiffs, both users and non-users of the Facebook platform,
alleged that Facebook did not obtain “written, informed consent” for using
facial recognition software to suggest “tagging” options to friends.[xi] Facebook, in an attempt to defeat class certification, argued that because its
servers were not located in Illinois, BIPA could not be applied to the
Plaintiffs’ claims. The Court explained that where “the named plaintiffs [were]
located in Illinois along with all of the proposed class members, and the
claims [were] based on the application of Illinois law to use of Facebook
mainly in Illinois… the case [was] properly governed by Illinois law pursuant
to California choice of law principles.”[xii] In practice, the Facebook case proves that despite BIPA’s lack of an
extraterritorial reach, it can still transcend borders where Illinois citizens
have been harmed.
Litigation
Preparedness
Given that biometrics is now a permanent technological
staple, legal counsel for clients in affected industries should start to
consider how best to protect their clients from potential litigation. Specifically, counsel should chart out potential defenses, including the scope
and reach of any applicable biometric and data privacy statutes. Also, counsel
should thoroughly any possible jurisdictional issues, choice of law arguments,
and standing merit. Going forward, both counsel and clients would do well to
determine the types of personal information being collected, keeping an eye on
the methods and stated policies for storage, retention, and destruction
thereof. Moreover, clients, regardless
of their sector or industry, should maintain a through log of all service
providers and vendors and seek advice of counsel to determine whether their
respective contracts include data privacy provisions.
Following this initial mapping of a data security
framework, both lawyer and client, alike, should be looking to next steps. The
strongest protection from potential litigation is a meticulously developed, plainly
articulated written policy regarding an organization’s security plan. The value
of internal privacy training and the need to regularly conduct privacy risk
assessments should not be lost on clients. Effective counsel will ensure
clients have a data response plan to successfully eliminate confusion in the
event of a breach. Less is more when it comes to data collection; however,
effective preparation and a thorough data security and response plan will help clients
reduce the likelihood of incident and litigation.
[i]. Nat’l Inst. Standards & Tech., U.S. Dept. Commerce, Biometrics, NIST, https://www.nist.gov/programs-projects/biometrics (last
updated July 11, 2018).
[ii]. 740
Ill. Comp. Stat. 14/10 (2008).
[iii]. Tex. Bus. & Com. Code Ann. § 503.001
(West 2015).
[iv]. Wash. Rev. Code Ann. § 40.26.020 (West
2017).
[v]. Fox
Rothschild, LLP, Measuring the Impact of
the Illinois Biometric Information Privacy Act, Fox Rothschild: Data Privacy
Blog (June 21, 2018), https://dataprivacy.foxrothschild.com/2018/06/articles/data-protection-law-compliance/the-illinois-biometric-information-privacy-act/.
[vi]. Rosenbach
v. Six Flags Entertainment Corp.,
2017 IL App (2d) 170317, 2017
WL 6523910 (Ill. App. Ct. 2017).
[vii]. Id. at *1.
[viii]. Id. at *3.
[ix]. In re Facebook Biometric Info. Privacy
Litig., No.: 3:15-CV-03747-JD, (N.D. Cal. 2016).
[x]. Id. at *8.
[xi]. Id. at *1.
[xii]. Id. at *8.