Ever since the enactment of the Illinois Biometric Information Privacy Act (BIPA), we have been watching the development of laws around the collection, use, disclosure and retention of biometric information. In general, BIPA and other biometric information privacy laws enacted since BIPA, require any company that is collecting biometric information, such as fingerprints, voice recognition, retinal scans or facial scans, to provide notice to individuals from whom they are collecting this information that they are collecting the biometric information, the purpose for which it is being collected and used, to whom they are disclosing it, and how long they are retaining it. The laws usually require companies to put appropriate security measures in place to protect the biometric information.
Litigation is rampant with BIPA and other biometric information privacy laws. For instance, recently, a fast food chain was sued for using voice recognition technology in its drive-through facilities without providing notice to consumers and obtaining consent.
The reason for these laws is pretty clear—this information is highly sensitive and unique to each person and if it is compromised, it could be significant or even catastrophic for the people whose information is compromised. As I say, we have only one face, one set of fingerprints, a unique voice, and two irises. If a bad actor were to get ahold of this unique information, they could use it for nefarious purposes, including to steal our identity in very significant ways.
These laws, similar to the California Consumer Privacy Act (CCPA), include a private right of action if the company fails to comply with the provisions of the law. This means that if a company does not provide notice of the collection, use, disclosure and retention of the information, or if there is a compromise of the information, individual consumers can directly sue the company for failing to comply with the law and without showing actual harm, damages or consequences. This can lead to costly litigation.
It is hard (but necessary) for a full-time privacy professional like me to keep up with these laws, let alone businesses that are not focused on this area of law. Biometric laws are popping up like drone laws used to pop up back in the day on the state, county, city and municipal level. For instance, the City of New York has enacted a biometric law that becomes effective next month that applies to a “commercial establishment” in New York City, which means “a place of entertainment, a retail store, or a food and drink establishment,” that requires the business to place a “clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language…that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The law further prohibits the sale of biometric information.
The New York City ordinance differs from BIPA and other state laws in that it (1) does not apply to employees of companies; (2) does not apply to financial institutions; and (3) does not apply to governmental entities. The similarity of the statutes however, is that they both contain a private right of action for consumers. The New York City law states that an aggrieved person can sue the company for a violation of the law after first giving the company thirty days’ notice to cure the violation. This is similar to the private right of action in the CCPA (an individual may seek damages of $500 for each violation, up to $5,000 for each intentional or reckless violation, and receive reasonable attorneys’ fees and costs, expert witness fees, litigation expenses and injunctive relief).
New York City establishments—take note. Other establishments—understand that this is a rapidly developing area of privacy law that is difficult to monitor and may be tricky to comply with on a national, state, and municipal level. If you are collecting any biometric data from employees or consumers, you may wish to consider implementing a biometric information compliance program.