On October 17, 2019, Kilpatrick Townsend attorneys John Brigagliano and Vita Zeltser and Delta Air Lines Assistant General Counsel Jonathan Ware participated in a panel discussion on biometric data privacy, and discussed strategies to identify and mitigate legal risk associated with deploying technologies using biometrics. The event was a part of the KnowledgeNet program sponsored by the Atlanta chapter of the International Association of Privacy Professionals.
The takeaways from the panel discussion include:
1. Legal counsel must determine whether their clients (or their vendors) collect biometrics, and what legal regimes apply to that collection. To facilitate that inquiry, legal departments should inform key business stakeholders as to how biometrics are defined under applicable laws.
2. The Illinois Biometric Information Privacy Act (“BIPA”) requires technical compliance. BIPA require organizations to, among other requirements, execute a written release with the subject of the biometrics—merely providing a one way notice is insufficient. BIPA also provides statutory damages of $5,000 for each knowing violation of the statute.
3. Vendors and customers can shift compliance risks through contract. Customers can ensure, through contract, that vendors do not collect biometrics except as directed by the customer. Vendors who may not have direct access to the individuals whose biometrics are being collected can require customers to obtain written releases from the individuals on behalf of vendors.
4. Organizations should minimize collection and storage of biometrics. Biometric information is increasingly “notice triggering” under U.S. breach law, and is a “special category of personal data” under the GDPR. Companies should minimize the collection and storage of biometrics to only the information needed for operations, and securely destroy this information as soon as reasonably possible after it its retention is no longer required or needed.
5. Using biometrics is not illegal but requires thorough compliance analysis. Biometrics have the potential to make companies safer and more efficient. Companies do not need to abandon using biometrics, but should instead develop compliance strategies before launching new biometrics uses.