Federal Legislative and Regulatory Activity
There is no federal law that relates to the use of biometrics. Legislation introduced in March, 2023 – the “Facial Recognition and Biometric Technology Moratorium Act of 2023,” H.R. 1404/S. 681 – would apply only to the Federal government and state and local governments that receive federal public safety grants. Neither bill has advanced in the legislative process.
Most federal regulatory activity is narrowly tailored to specific matters, such as using biometrics to identify applicants for immigrant visas or for naturalization or using biometrics as an identification factor at automated airport kiosks operated by airlines at larger U.S. airports. The Federal Trade Commission has also adopted a non-binding policy statement on biometric information and how the use of such information implicates section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts or practices in or affecting commerce”. For example, companies that claim to offer biometrics technology that subsequently does not perform its intended purpose may be in violation of the Federal Trade Commission Act. Such non-compliance can attract a civil penalty of $50,120 per violation. For many businesses, this enforcement action is an unacceptable risk. Such risk emphasizes the need for an effective compliance strategy that addresses the requirements of all regulatory bodies.
State Legislative and Regulatory Activity
State lawmakers have taken the lead in developing rules regarding the use of biometric data. The Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/, was enacted in 2008 and was the first state biometric privacy law. The BIPA states that a business that collects biometric data must develop a written retention schedule and guidelines for permanently destroying biometric identifiers and information. The business must make this policy available to the public. 740 ILCS 14/15(a). The Act does not restrict the purposes for which biometric data may be collected. A “biometric identifier” is defined in the Act as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
Companies who violate the Illinois law may face a civil action brought by “[a]ny person aggrieved” by their violation (for example, staff or customers). A successful Plaintiff in a BIPA action may recover actual damages or liquidated damages of $1,000 per violation, or $5,000 for an intentional or reckless violation.
The other two state laws that relate specifically to biometric data – Tex. Bus. & Com. Code § 503.001 and RCW Ch. 19.375 – are similar to the Illinois law, except that the Texas and Washington laws are enforced by the states’ Attorneys General. These states do not allow a private right of action for violations. Legislation proposed in Massachusetts – H.63/S.195 – would permit enforcement by private action as well as by the Attorney General (both Massachusetts bills are pending in their respective houses of origin).
Many state consumer data privacy laws also apply to biometric data. The California Consumer Privacy Act of 2018, Cal. Civ. Code Tit. 1.81.5 (CCPA) explicitly includes biometric information within the definition of “personal information” protected by the CCPA. The Delaware Personal Data Privacy Act, approved by the Governor on September 11, 2023 and set to take effect January 1, 2025, includes biometric information within the Act’s definition of “sensitive data,” which may be processed only with the consent of the person to whom the data relates.
Biometric privacy laws are still relatively new, and much of the reported litigation surrounding those laws relates to procedural issues. However, in Rogers v. BNSF Railway Co., No. 19 C 3083 (N.D. Ill. June 30, 2023), a class action based on BNSF’s use of a contractor to collect biometric data as a means of controlling access to its facilities, the Court awarded the Plaintiffs $228 million, or $5,000 for each violation of the Illinois BIPA. The jury found that BNSF had recklessly or intentionally violated the BIPA 45,600 times, and the Court awarded damages based on the finding of recklessness or intent. On June 30, however, the Court granted BNSF a new trial on the issue of damages only, returning the matter for the jury to decide the damages, as opposed to the judge.
Additionally, in Cothron v. White Castle System, Inc., 2023 IL 128004, the Court found that White Castle had violated BIPA by failing to obtain informed consent from its employees for the use and storage of their fingerprint data in order to clock in at work, and to access their pay records. Damages are yet to be set,; however, the Court has acknowledged that if other employees join Ms. Cothron in a class action, the damages may be as high as $17 billion.
As the commercial use of biometric data continues to expand, it is probable that more states and federal agencies will take action to regulate the use of that data. States that do not enact specific biometric data protection laws may use their existing consumer data protection laws to prevent the perceived misuse of biometrics. The recent cases demonstrate that this area of the law poses a significant financial risk to companies who fail to comply. You can protect your company by ensuring thorough compliance with all aspects of both state and federal regulations, and by ensuring that your company has a detailed compliance plan.
About Us: LegalResearch.com provides multi-jurisdictional legal & regulatory research, best practice guidance, and analytics reporting services for corporations, trade associations, and law firms. If you would like assistance with your organization’s compliance & risk management initiatives, we are here to help. Please contact us directly at 844-638-6735 or visit our website at www.legalresearch.com to learn more about our services and submit an inquiry.