The proliferation of the use of biometric information continues at an astounding rate. In this first of our two-part series, we will discuss how states are legislating the use of biometric information and the potential liability implications for businesses. Our second installment will focus on the potential insurance coverage implications for their carriers.
The simple fact is that biometric information is becoming part of our everyday life. But what exactly is biometric information? Biometric information encompasses hand geometry, retina and iris patterns, voice waves and DNA. More and more businesses are utilizing biometric information to verify when an employee clocks in and out based on their fingerprint or other biometric information. The use of biometric technology is becoming increasingly popular in the marketing and advertising sector as well. Facial recognition technology allows “brick-and-mortar stores [to] scan the face of every shopper, identify returning customers and offer them individualized pricing—or find pre-identified shoplifters and known litigious individuals.” Biometrics are also gaining traction in employer health plans and wellness programs, where the data is then aggregated to provide a complete risk profile for each individual (this information can then be used to provide incentives for behavior changes to lower the identified risks). Some hospitals now require patients to scan their hands to gain access to medical records, while banks have begun to use voiceprint technology to prevent criminals from gaining access to users’ bank accounts via telephone. Businesses use fingerprints, hand geometry scans and facial recognition software to lock down secure areas, laptops, and storage devices. Within the next several years automakers may start incorporating biometrics into their vehicles that will allow operators to unlock and start their vehicles using their specific biometric information.
Somewhat predictably, state legislatures and the law have struggled to keep up with the speed by which the technological world continues to evolve and inculcate itself within our daily lives. Several states responded by enacting statutes governing the use of biometrics. Broadly speaking, the statutes provide a definition of biometrics and require third parties to adhere to various statutory requirements regarding the use and collection of biometric data. The statutes closely resemble consumer protection statutes, with some allowing for a direct cause of action by the consumer while others vest enforcement with the state attorney general exclusively. In many senses, they mimic the legislation that the states enacted to protect against disclosure of PII and PHI. Attached to this article is a brief overview of those states that either enacted or have legislation pending to address biometric information. Since each state may define “biometric data” directly, and somewhat differently, careful attention must be paid to the insured’s specific jurisdiction.
As the use of biometric information increased, so has the frequency of litigation regarding its use. Those cases can be divided into two distinct categories – employment and non-employment cases. This distinction is important – as some states exempt employers from their BIPA regulations. Employment / non-employment aside, the underlying facts reveal some recurring arguments: (1) the business failed to provide the correct notice or obtain permission; and (2) the collection of the information alone, without an accompanying data breach, placed the information at an increased risk of harm. More importantly, the courts offered insights into measures a business can take to proactively protect itself. For example, video gamers files a class action in the Southern District of New York against Take-Two Interactive Software, Inc., in which they alleges that the game series, NBA 2K violated BIPA because it allowed users to create a personalized avatar based on a 3D scan of their facial geometry. Take-Two ultimately succeeded in dismissing the claims, but that success was not based on the actual merits of the argument but on the Plaintiff’s lack of standing. Santana v. Take-Two Interactive Software, Inc., 717 F. App’x 12, 17 (2d Cir. 2017). In the U.S. District Court for the Central District of California, a class action was filed against Facebook, claiming that FaceBook’s Tag Suggestions program violated Illinois’ BIPA. Patel v. Facebook Inc., 290 F. Supp. 3d 948, 951 (N.D. Cal. 2018). That case is still pending and survived FaceBook’s Motion to Dismiss.
The Take-Two opinion has limited precedential value, but does offers the most significant guidance for defending BIPA litigations. It recognized that BIPA’s purpose is to prevent the unauthorized use, collection or disclosure of an individual’s biometric data. Based on this, the Take-Two court concluded that the plaintiffs’ claim that Take-Two failed to provide proper notice and obtain users’ consent prior to collecting their biometric data amounted to “bare procedural violations” that did not establish a material risk that plaintiffs’ biometric data would be used or disclosed without their consent. Again, this mirrors the early legal battles regarding whether the mere disclosure of PII (i.e., a social security number) was actionable without any resulting harm. Central to the Second Circuit’s finding was the fact that the plaintiffs were notified that their biometric data would be collected. Before scanning user’s biometric data, the MyPlayer feature provided the following notification:
Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement
The Second Circuit also rejected the claim that Take-Two’s failure to obtain their written consent prior to collecting their biometric data conferred standing. The court noted that when using the MyPlayer feature, the plaintiffs had to “place their faces within 6 to 12 inches of the camera, slowly turn their heads to the left and to the right, and do so for approximately 15 minutes” in order for their face to be scanned. The court held that “no reasonable person” would fail to understand that their face was being scanned, and plaintiffs could not credibly assert that they would have withheld their consent had Take-Two provided a BIPA-compliant notice.
Employers defending BIPA actions alleging a failure to provide prior notice of, and obtain consent to, collection of biometric data using a biometric timeclock should consider taking at least the following two steps. First, they should identify any form of notice provided to employees even if the notice did not meet all of BIPA’s specific requirements. Second, they should analyze the technology used to collect biometric data to determine whether the technology itself effectively notified employees that their biometric data was being collected.
Based on the case law and the legislation (enacted or otherwise), the frontier of biometric data is new but not uncharted. The arguments and issues are quite similar to those presented by the electronic collection of PII and PHI. Businesses need to be aware of the laws of the state in which they operate, and whether they are required to provide notice and/or obtain consent before collecting biometric data. Businesses should prepare retention schedules to the extent they do store biometric data, and further ensure that the data is kept safeguarded to protect the consumers from any harm. This is an emerging field, and we will stay tuned in to the changes and trends in the case law and state legislation to keep our clients apprised of their duties vis a vis biometric data and how to minimize potential liability should they utilize this new technology.
Jeannie Park Lee
C. Scott Rybny
 Ben Sobel, Facial recognition technology is everywhere. It may not be legal., The Washington Post (June 11, 2015), https://www.washingtonpost.com/news/the-switch/wp/2015/06/11/facial-recognition-technology-is-everywhere-it-may-not-be-legal/.
 Elizabeth M. Walker, Biometric Boom: How the Private Sector Commodifies Human Characteristics, 25 Fordham Intell. Prop. Media & Ent. L.J. 831, 840 (2015).
 This issue is gathering steam at the federal level as evidenced by the Social Media Privacy Protection and Consumer Rights Act of 2018 (https://www.congress.gov/bill/115th-congress/senate-bill/2728/text).