The Future of Biometric Data Privacy Law and BIPA
Biometric Technology Industry
Biometrics encompasses a wide variety of technologies, which
aim to identify a person’s identity based on unique, unchanging physical or
behavioral characteristics. Biometric technologies include fingerprint
recognition, voice identification, facial recognition, DNA matching, and
signature recognition.
Though biometric technology has been utilized for hundreds
of years, there has been rapid technological innovation in the biometric field in
recent years. Biometric technologies have become more mainstream in our modern
society being introduced
and utilized in diverse industries from healthcare, to financial
services, to personal devices (including wearables, cell phones, etc.). In
fact, the biometric
industry is estimated to have been worth nearly $17 billion in 2018.
The expanding biometric technology industry has created
significant societal benefits. The various types of biometric technologies are
utilized by the government, businesses, and individuals for purposes including identification,
surveillance, security, etc. Biometric technology is advantageous
over alternative methods of identification as it is more reliable,
accurate, and secure. Further, identification through biometrics is
harder to falsify or steal.
However, the advancement of biometric technologies has simultaneously
generated new, complex privacy issues. The rationale for what makes biometric
data so advantageous is the same rationale for what makes biometric data
severely problematic: biometric data is unique to the individual and does not
change over time.
As companies and the government collect and store
individuals’ biometric data, there is a risk that this sensitive data will be
compromised or breached by third-parties. If a third-party gains access to this
information, the solution is not as simple as changing one’s password or
cancelling one’s credit card. Biometric data is extremely valuable and
intrinsically unique to the individual throughout an individual’s lifespan.
State Biometric Privacy Laws
The legal system has an important role in regulating and
protecting each individual’s private biometric data. However, the United States
currently lacks a comprehensive, federal biometric privacy law. In 2008,
Illinois enacted the Biometric
Information Privacy Act (BIPA) – the first state law addressing
biometric privacy. BIPA requires that private entities which collect biometric
data have a written public policy establishing a retention schedule. Further,
such private entities may only “collect, capture, purchase, receive through
trade, or otherwise obtain a person’s or a customer’s biometric identifier or
biometric information” if they previously informed the person or customer about
collection or storage, specific purpose, and length of term and received a
written release from the person or customer. A few other states have since
passed biometric privacy laws, though none are quite as stringent and
comprehensive as BIPA.
In 2009, Texas enacted the Texas
Biometric Privacy Act (TBPA). TBPA finds that one “may not capture a
biometric identifier of an individual for a commercial purpose unless” that
party has previously informed the individual and received the individual’s
consent. In 2017, Washington enacted H.B.
1493, which requires that “[a] person may not enroll a biometric
identifier in a database for a commercial purpose, without first providing
notice, obtaining consent, or providing a mechanism to prevent the subsequent
use of a biometric identifier for a commercial purpose.” Other states have unsuccessfully
attempted to enact biometric privacy bills, including Alaska,
California, Idaho, Montana, and New York.
BIPA in the Legislature and Judiciary
BIPA, the most comprehensive state biometric privacy
statute, has recently been the source of discussion in both the Illinois
Legislature and Illinois Supreme Court.
On January 9th, 2019, the Illinois Legislature voted against
adopting Illinois S.B. 3053,
which would have amended BIPA. This amendment would have effectively limited
BIPA so that it would not apply to private entities collecting, storing, or
transmitting biometric information if certain criteria is met. For example, an
exception would be made if the “biometric information is used exclusively for
employment, human resources, fraud prevention, or security purposes.”
On January 25th, 2019, the Illinois Supreme Court, echoing
the legislature’s approach, unanimously held that violation of a requirement
under BIPA alone can support an individual’s cause of action; an individual
does not need to prove harm in order to demonstrate standing (Rosenbach
v. Six Flags Entm’t Corp.). This class action lawsuit was brought after
an amusement park, Six Flags, collected a visitor’s fingerprint without
informed consent, notice, and a written public policy. The plaintiff brought
the suit on behalf of a class of amusement park customers and did not show or
demonstrate actual injury as a result of the BIPA violation.
BIPA is the primary statutory framework utilized for
biometric data privacy lawsuits as it is the only state biometric privacy
statute that provides
a private right of action and has substantial statutory
penalties beginning at $1,000 for negligent violations and $5,000
for intentional or reckless violations. Since 2017, over
two hundred class action lawsuits have been filed across the country
claiming a violation of BIPA.
An increase in class action lawsuits filed under BIPA is
anticipated following the Rosenbach
decision. As the caselaw surrounding BIPA continues to unfold, it is likely
that there will be a debate about whether lack of actual harm satisfies the
standing requirements under Article III of the Constitution. Further, the
constitutionality of BIPA may be called into question as the courts
have not directly ruled BIPA constitutional.
The Illinois Legislature’s and Illinois Supreme
Court’s recent decisions are likely to result in a continued discussion of BIPA
and biometric privacy law in both the legislature and judiciary. If discussions
continue to progress with the same policy approach, one can expect a broad
statutory interpretation of this strong, state biometric privacy law.
Kathryn Leicht is a JD candidate, 2020, at NYU School of Law.
