This past week, The Home Depot, Inc. became the latest business hit with a class action lawsuit for their use of facial recognition security cameras allegedly in violation of the Illinois Biometric Information Privacy Act. If successful, Home Depot faces statutory damages of up to $5,000 for each time a shopper’s information was collected in violation of BIPA.

As we previously reported, BIPA is one of the nation’s leading statutes dealing with the collection and use of biometric data, like facial scans. The statute requires companies to obtain a written release from anyone whose biometric information they collect and then provide in writing the purposes of collecting such information and how long it will be stored. The complaint against Home Depot alleges the company “augmented its in-store security cameras with software that track individuals’ movements throughout the store using a unique scan of face geometry” and “surreptitiously attempt[s] to collect the faceprint of every person who appears in front of one of their facial-recognition cameras.” The use of facial recognition cameras as security is not new. Indeed, you may have just used facial recognition to unlock your phone to read this article. But the allegations against Home Depot serves as a reminder to any business using, or planning on using, facial recognition cameras to apprise itself of BIPA and other states’ biometric privacy laws. In addition to Illinois, who was the first to implement such legislation, the following states also regulate the collection, use and storage of biometric data:

  • CaliforniaAs previously reported on this blog, the California Consumer Privacy Act of 2018, effective January 1, 2020, requires companies to disclose what personal information it is collecting from a consumer, including biometric information, what categories of third parties it is shared with, and the “business or commercial purpose for collecting or selling personal information.” A business must also provide consumers with a copy of their stored personal data at their request and generally honor consumers’ requests to delete their data. This legislation applies to any business that “does business in California” if it meets certain benchmarks. Both the attorney general and consumers may bring suit under the legislation, which permits fines up to $7,500 per violation.
  • Texas – Prohibits the capture of “biometric identifiers” for “a commercial purpose,” unless the person is informed of its capture beforehand and consents. The company capturing biometric identifiers is generally prohibited from selling it, must use “reasonable care” in storing it, and must destroy the data “within a reasonable time.” A violation permits the attorney general to bring an action to recover a “civil penalty of not more than $25,000 for each violation.”
  • Washington – Provides that “[a] person may not enroll a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.” A violation permits the attorney general to bring an enforcement action under Washington’s consumer protection act.

Many states, New York being one of the latest, have adopted legislation amending their breach notification laws to include biometric data, requiring notification when there is unauthorized access to a person’s biometric information and placing protections on the storage of such data. And Alaska, Arizona, Delaware, Florida, Hawaii, Oregon, Massachusetts, Montana, New Hampshire, New Jersey, and Rhode Island are among those who have introduced legislation regulating the use of biometric data that have not yet passed.