The Future of Biometric Data Privacy Law and BIPA

Biometric Technology Industry

Biometrics encompasses a wide variety of technologies, which aim to identify a person’s identity based on unique, unchanging physical or behavioral characteristics. Biometric technologies include fingerprint recognition, voice identification, facial recognition, DNA matching, and signature recognition.

Though biometric technology has been utilized for hundreds of years, there has been rapid technological innovation in the biometric field in recent years. Biometric technologies have become more mainstream in our modern society being introduced and utilized in diverse industries from healthcare, to financial services, to personal devices (including wearables, cell phones, etc.). In fact, the biometric industry is estimated to have been worth nearly $17 billion in 2018.

The expanding biometric technology industry has created significant societal benefits. The various types of biometric technologies are utilized by the government, businesses, and individuals for purposes including identification, surveillance, security, etc. Biometric technology is advantageous over alternative methods of identification as it is more reliable, accurate, and secure. Further, identification through biometrics is harder to falsify or steal.

However, the advancement of biometric technologies has simultaneously generated new, complex privacy issues. The rationale for what makes biometric data so advantageous is the same rationale for what makes biometric data severely problematic: biometric data is unique to the individual and does not change over time.

As companies and the government collect and store individuals’ biometric data, there is a risk that this sensitive data will be compromised or breached by third-parties. If a third-party gains access to this information, the solution is not as simple as changing one’s password or cancelling one’s credit card. Biometric data is extremely valuable and intrinsically unique to the individual throughout an individual’s lifespan.

State Biometric Privacy Laws

The legal system has an important role in regulating and protecting each individual’s private biometric data. However, the United States currently lacks a comprehensive, federal biometric privacy law. In 2008, Illinois enacted the Biometric Information Privacy Act (BIPA) – the first state law addressing biometric privacy. BIPA requires that private entities which collect biometric data have a written public policy establishing a retention schedule. Further, such private entities may only “collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” if they previously informed the person or customer about collection or storage, specific purpose, and length of term and received a written release from the person or customer. A few other states have since passed biometric privacy laws, though none are quite as stringent and comprehensive as BIPA.

In 2009, Texas enacted the Texas Biometric Privacy Act (TBPA). TBPA finds that one “may not capture a biometric identifier of an individual for a commercial purpose unless” that party has previously informed the individual and received the individual’s consent. In 2017, Washington enacted H.B. 1493, which requires that “[a] person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” Other states have unsuccessfully attempted to enact biometric privacy bills, including Alaska, California, Idaho, Montana, and New York.

BIPA in the Legislature and Judiciary

BIPA, the most comprehensive state biometric privacy statute, has recently been the source of discussion in both the Illinois Legislature and Illinois Supreme Court.

On January 9th, 2019, the Illinois Legislature voted against adopting Illinois S.B. 3053, which would have amended BIPA. This amendment would have effectively limited BIPA so that it would not apply to private entities collecting, storing, or transmitting biometric information if certain criteria is met. For example, an exception would be made if the “biometric information is used exclusively for employment, human resources, fraud prevention, or security purposes.”

On January 25th, 2019, the Illinois Supreme Court, echoing the legislature’s approach, unanimously held that violation of a requirement under BIPA alone can support an individual’s cause of action; an individual does not need to prove harm in order to demonstrate standing (Rosenbach v. Six Flags Entm’t Corp.). This class action lawsuit was brought after an amusement park, Six Flags, collected a visitor’s fingerprint without informed consent, notice, and a written public policy. The plaintiff brought the suit on behalf of a class of amusement park customers and did not show or demonstrate actual injury as a result of the BIPA violation.

BIPA is the primary statutory framework utilized for biometric data privacy lawsuits as it is the only state biometric privacy statute that provides a private right of action and has substantial statutory penalties beginning at $1,000 for negligent violations and $5,000 for intentional or reckless violations. Since 2017, over two hundred class action lawsuits have been filed across the country claiming a violation of BIPA.

An increase in class action lawsuits filed under BIPA is anticipated following the Rosenbach decision. As the caselaw surrounding BIPA continues to unfold, it is likely that there will be a debate about whether lack of actual harm satisfies the standing requirements under Article III of the Constitution. Further, the constitutionality of BIPA may be called into question as the courts have not directly ruled BIPA constitutional. The Illinois Legislature’s and Illinois Supreme Court’s recent decisions are likely to result in a continued discussion of BIPA and biometric privacy law in both the legislature and judiciary. If discussions continue to progress with the same policy approach, one can expect a broad statutory interpretation of this strong, state biometric privacy law.

Kathryn Leicht is a JD candidate, 2020, at NYU School of Law.