2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.
BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.
Between 2018 and 2019 alone, over 200 class actions were filed for alleged violations of individuals’ biometric privacy rights under BIPA, many of which drew significant attention to issues of plaintiff standing. While some federal courts have dismissed BIPA suits for lack of subject matter jurisdiction due to, for example, “insufficient risk of future harm” (like a heightened risk of identity theft), the Ninth Circuit held that a plaintiff has standing to sue under BIPA even if a plaintiff has suffered no actual harm. A petition to review the Ninth Circuit’s decision currently is pending before the Supreme Court.
Notably, BIPA lawsuits have sprung up from alleged collection of voice recordings, fingerprints, and handprints (e.g., for payroll time-tracking), and facial features. Companies that collect and use biometric identifiers for either employment or commercial purposes should evaluate these practices as they relate to Illinois consumers, but also anticipate that more states may follow with BIPA-like laws with private rights of action in the future. Texas and Washington already have similar biometric-specific laws that differ from BIPA in that they do not allow for private rights of action, but may be enforced by states attorneys general.
In addition to BIPA, other harbinger laws came into the fold in 2019 and will likely result in more states following in 2020: (i) the CCPA, includes biometric information as part of its definition of “personal information” and creates proactive notice, consent, and deletion obligations, among others, depending on how that “personal information” is used, and (ii) New York’s SHIELD Act, which broadens the state’s breach notification law to include biometric information as “private information” that, if breached, imposes notification and disclosure obligations.
In the wake of these laws, other states have taken note and continue to develop comprehensive biometric privacy frameworks of their own. Some, like Alaska, followed Illinois’ lead by proposing a law that includes a private right of action and requires informed consent and written notice before collecting biometric data. Other state bills, like Massachusetts’ SD 341, take cues from both BIPA and the CCPA, and include biometric information in the broader definition of “personal information,” but also include a private right of action without a need to prove harm. Still other states adopted or altered data breach laws to incorporate biometric privacy considerations (including Arkansas HB 1943, passed in April 2019).
As the number of states that grant consumers and employees biometric privacy rights expands in 2020, it is becoming increasingly important for organizations to be aware of their proactive, consent-based obligations, and reactive, breach notice requirements, particularly in a growing class action-laden landscape. Organizations that collect or use biometric information should draft and/or amend biometric data policies and procedures to ensure compliance with applicable statutory requirements and avoid potentially costly litigation or regulatory action in the new year.