Rebar Bernstiel supports Hurricane Michael victims
October 15, 2018
Rebar Bernstiel supports the Challenged Athletes Foundation (CAF)
October 17, 2018

Biometric Information Litigation is Here – Are You Ready?

Jeannie HeadshotScott Headshot

The proliferation of the use of biometric information continues at an astounding rate. In this first of our two-part series, we will discuss how states are legislating the use of biometric information and the potential liability implications for businesses. Our second installment will focus on the potential insurance coverage implications for their carriers.

The simple fact is that biometric information is becoming part of our everyday life. But what exactly is biometric information? Biometric information encompasses hand geometry, retina and iris patterns, voice waves and DNA. More and more businesses are utilizing biometric information to verify when an employee clocks in and out based on their fingerprint or other biometric information. The use of biometric technology is becoming increasingly popular in the marketing and advertising sector as well. Facial recognition technology allows “brick-and-mortar stores [to] scan the face of every shopper, identify returning customers and offer them individualized pricing—or find pre-identified shoplifters and known litigious individuals.”[1] Biometrics are also gaining traction in employer health plans and wellness programs, where the data is then aggregated to provide a complete risk profile for each individual (this information can then be used to provide incentives for behavior changes to lower the identified risks). Some hospitals now require patients to scan their hands to gain access to medical records, while banks have begun to use voiceprint technology to prevent criminals from gaining access to users’ bank accounts via telephone.[2] Businesses use fingerprints, hand geometry scans and facial recognition software to lock down secure areas, laptops, and storage devices. Within the next several years automakers may start incorporating biometrics into their vehicles that will allow operators to unlock and start their vehicles using their specific biometric information.

Somewhat predictably, state legislatures and the law have struggled to keep up with the speed by which the technological world continues to evolve and inculcate itself within our daily lives. Several states responded by enacting statutes governing the use of biometrics.[3] Broadly speaking, the statutes provide a definition of biometrics and require third parties to adhere to various statutory requirements regarding the use and collection of biometric data. The statutes closely resemble consumer protection statutes, with some allowing for a direct cause of action by the consumer while others vest enforcement with the state attorney general exclusively. In many senses, they mimic the legislation that the states enacted to protect against disclosure of PII and PHI. Attached to this article is a brief overview of those states that either enacted or have legislation pending to address biometric information. Since each state may define “biometric data” directly, and somewhat differently, careful attention must be paid to the insured’s specific jurisdiction.

As the use of biometric information increased, so has the frequency of litigation regarding its use. Those cases can be divided into two distinct categories – employment and non-employment cases. This distinction is important – as some states exempt employers from their BIPA regulations. Employment / non-employment aside, the underlying facts reveal some recurring arguments: (1) the business failed to provide the correct notice or obtain permission; and (2) the collection of the information alone, without an accompanying data breach, placed the information at an increased risk of harm. More importantly, the courts offered insights into measures a business can take to proactively protect itself. For example, video gamers files a class action in the Southern District of New York against Take-Two Interactive Software, Inc., in which they alleges that the game series, NBA 2K violated BIPA because it allowed users to create a personalized avatar based on a 3D scan of their facial geometry. Take-Two ultimately succeeded in dismissing the claims, but that success was not based on the actual merits of the argument but on the Plaintiff’s lack of standing. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 17 (2d Cir. 2017).  In the U.S. District Court for the Central District of California, a class action was filed against Facebook, claiming that FaceBook’s Tag Suggestions program violated Illinois’ BIPA. Patel v. Facebook Inc., 290 F. Supp. 3d 948, 951 (N.D. Cal. 2018). That case is still pending and survived FaceBook’s Motion to Dismiss.

The Take-Two opinion has limited precedential value, but does offers the most significant guidance for defending BIPA litigations. It recognized that BIPA’s purpose is to prevent the unauthorized use, collection or disclosure of an individual’s biometric data.  Based on this, the Take-Two court concluded that the plaintiffs’ claim that Take-Two failed to provide proper notice and obtain users’ consent prior to collecting their biometric data amounted to “bare procedural violations” that did not establish a material risk that plaintiffs’ biometric data would be used or disclosed without their consent. Again, this mirrors the early legal battles regarding whether the mere disclosure of PII (i.e., a social security number) was actionable without any resulting harm. Central to the Second Circuit’s finding was the fact that the plaintiffs were notified that their biometric data would be collected.  Before scanning user’s biometric data, the MyPlayer feature provided the following notification:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement

The Second Circuit also rejected the claim that Take-Two’s failure to obtain their written consent prior to collecting their biometric data conferred standing. The court noted that when using the MyPlayer feature, the plaintiffs had to “place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes” in order for their face to be scanned. The court held that “no reasonable person” would fail to understand that their face was being scanned, and plaintiffs could not credibly assert that they would have withheld their consent had Take-Two provided a BIPA-compliant notice.

Employers defending BIPA actions alleging a failure to provide prior notice of, and obtain consent to, collection of biometric data using a biometric timeclock should consider taking at least the following two steps. First, they should identify any form of notice provided to employees even if the notice did not meet all of BIPA’s specific requirements. Second, they should analyze the technology used to collect biometric data to determine whether the technology itself effectively notified employees that their biometric data was being collected.

Based on the case law and the legislation (enacted or otherwise), the frontier of biometric data is new but not uncharted. The arguments and issues are quite similar to those presented by the electronic collection of PII and PHI. Businesses need to be aware of the laws of the state in which they operate, and whether they are required to provide notice and/or obtain consent before collecting biometric data. Businesses should prepare retention schedules to the extent they do store biometric data, and further ensure that the data is kept safeguarded to protect the consumers from any harm. This is an emerging field, and we will stay tuned in to the changes and trends in the case law and state legislation to keep our clients apprised of their duties vis a vis biometric data and how to minimize potential liability should they utilize this new technology.

Compendium of Current / Pending State Biometric Data Legislation

  • Alaska (2017 Bill Text AK H.B. 72). This bill was presented but did not make it out of committee.       If passed, this bill would have permitted a private cause of action, but only for intentional violations of the statute. The statutory damages proposed were $1,000 for violations and $5,000 for violations that result in profit or monetary gain.
  • California (enacted in 2018, but does not go into effect until 2020). In a notoriously consumer-friendly and proactive state, the California Consumer Privacy Act of 2018 grants customers the right to sue for the “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information.” Personal information is defined to include biometric data, among other categories of data. It also awards statutory damages of $100 to $750 per consumer per incident, and separately authorizes the California attorney general to obtain civil penalties of up to $7500 per violation against anyone who “intentionally” violates any provision of the new law.
  • Delaware (House Bill 350). This act was introduced in March of 2018, but has not yet been enacted. In its current form, there is no private right of action (the law may be enforced only by the Consumer Protection Unit of the Delaware Department of Justice). However, the bill would require a written retention schedule for keeping biometric information and prohibit the selling or profiting from an individual’s biometric data.
  • Illinois 740 ILCS 14/. The Biometric Information Privacy Act does not prevent companies from collecting, using, or storing the biometric data of their employees or customers, but does have strict compliance requirements. Companies must give notice when they are collecting, using or storing biometric information, and must obtain written consent before collecting biometric data from any individual. Additionally, the act also prohibits private entities from selling biometric information, restricts the disclosure thereof, and requires reasonable care be taken in storing or transmitting biometric identifiers/ information.” Companies must also develop and implement a written biometric data policy that details guidelines for the retention and destruction of biometric data and adopt procedural safeguards to ensure sensitive data isn’t leaked or stolen. The damages are $1000 per violation for negligent violations and $5000 per violation for intentional or reckless violations (or actual damages, whichever is greater).
  • Michigan (2017 Bill Text MI H.B. 5019). This bill is pending, and it would provide a private cause of action with statutory damages of $1,000 for negligent violations and $5,000 for intentional or reckless violations. The bill would require a written retention schedule for biometric data, and it would also prohibit the collection of biometric data without prior notice and consent.       The entity is also prohibited from selling or profiting from a biometric identifier.
  • Montana (2017 Bill Text MT H.B. 518). This bill died in Standing Committee. As proposed, it would have authorized a private cause of action with statutory damages of $1,000 for purposeful or knowing violations and $5,000 for violations that result in profit or monetary gain.
  • New Hampshire (2017 Bill Text NH H.B. 523). This bill provided a private cause of action with statutory damages of $1,000 for negligent violations and $5,000 for reckless or intentional violations, but it did not make it out of committee.
  • New York (Assembly Bill 9793 and Assembly Bill 8547). These bills, which are pending, are carbon copies of Illinois’ BIPA, which means that in addition to the typical provisions (requirements for obtaining written consent, providing disclosures, and securing and destroying the data, prohibitions on the sale of the data), the proposed bills include a private right of action and statutory damages of $1,000 for negligent violations and $5,000 for reckless or intentional violations.
  • Texas (Title 11 Section 503.001). The law applies only to biometric identifiers and defines those as specifically a retina or iris scan, fingerprint, voiceprint, the record of a hand or face geometry. It does not include the analysis of biometric indicators. As for penalties, the law allows for civil penalties of up to $25,000, but only the attorney general can bring suit against companies for biometric privacy violations. Companies are prohibited from capturing and/or selling this data for commercial purposes without notice and consent.
  • Washington. Only the state attorney general may enforce the law, there is no private cause of action. The law includes “fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual,” and excludes photographs and voiceprints (the later includes face or hand geometry scans as included in biological identifiers). The law prohibits the collection of biological indicators into a database without providing notice and obtaining consent, but this applies only biometric indicator commercial use. The law does not cover businesses, or employers, using biometric information in a noncommercial use.
  • Arizona, Colorado, Delaware, Illinois, Iowa, Louisiana, Maryland, Nebraska, New Mexico, North Carolina, South Dakota, Wisconsin and Wyoming all include biometric data in the definition of “personal information” in the context of their respective data breach notification statutes.

Jeannie Park Lee
Partner

C. Scott Rybny
Partner


[1] Ben Sobel, Facial recognition technology is everywhere. It may not be legal., The Washington Post (June 11, 2015), https://www.washingtonpost.com/news/the-switch/wp/2015/06/11/facial-recognition-technology-is-everywhere-it-may-not-be-legal/.

[2] Elizabeth M. Walker, Biometric Boom: How the Private Sector Commodifies Human Characteristics, 25 Fordham Intell. Prop. Media & Ent. L.J. 831, 840 (2015).

[3] This issue is gathering steam at the federal level as evidenced by the Social Media Privacy Protection and Consumer Rights Act of 2018 (https://www.congress.gov/bill/115th-congress/senate-bill/2728/text).