Navigating the complexities of biometrics is complex, in large part because of the fast pace in which new biometric privacy laws are passed and also because of the patchwork biometrics regulatory landscape on the city, state, federal, and international levels. Not ensuring compliance with biometric laws can result in costly litigation as well as reputational and regulatory enforcement risk.
Some of the most notable laws to account for fall into three main categories – biometric-specific laws, components of comprehensive privacy laws that apply to biometrics, and city-level ordinances applicable to biometric information, which we further outline below:
Biometric-Specific Laws
Some of the most widely known biometric privacy laws are those that are “standalone” biometric-specific privacy laws aimed at solely regulating biometrics. These laws are contrasted by other laws, such as comprehensive privacy laws, which we discuss further below, which are broad-ranging but have biometric compliance components.
We overview two of the most widely knows biometric-specific state privacy laws below:
Illinois Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act (BIPA) is one of the original and most actively litigated biometric laws and sets stringent requirements for the collection, use, and storage of biometric identifiers and information. BIPA mandates informed consent, data retention policies, and the protection of biometric data. Non-compliance can lead to significant financial penalties and private actions. Most of the litigation on BIPA are costly class actions, which can be tracked here.
Texas’ “Capture or Use of Biometric Identifier” Act (CUBI)
Texas’ Capture or Use of Biometric Identifier Act (CUBI) also governs the collection and use of biometric data. CUBI requires businesses to inform individuals and obtain consent before capturing their biometric identifiers. The act emphasizes the importance of safeguarding biometric data to prevent unauthorized use and potential breaches. To illustrate the cost of non-compliance, Meta reached a $1.4 Billion settlement for violating CUBI with Texas’ attorney general, Ken Paxton. The allegation that resulted in the significant settlement centered on the collection of facial recognition information on millions of users in violation of state law by automatically tagging users’ faces on Facebook.
Comprehensive State and International Privacy Laws
Certain comprehensive privacy laws on the state level, such as California’s CCPA as amended by the CPRA and Colorado’s CPA, among numerous others, have components that specifically apply to the collection and use of biometrics. Further comprehensive international privacy laws, such as the European Union’s GDPR and the United Kingdom’s equivalent law, provide added conditions for biometric data processing. Lastly, health privacy laws, such as Washington MHMDA, have biometric applications as well.
City-Specific Laws
Several cities or similar jurisdictional-specific biometric privacy laws exist, including New York City’s, which, due to the large number of businesses within its scope, is more overarching than other county or city-specific laws.
New York City Biometric Identifier Information Law
New York City has enacted its own biometric-specific regulations, requiring businesses to disclose their use of biometric identifier technology and obtain consent from individuals before collecting their biometric data. Non-compliance can result in civil penalties and damage to reputation.
Sector-Specific Biometric Processing Applications Increasing
As biometrics and other assistive technologies, such as artificial intelligence, further advance, businesses of all types and sizes are incorporating rapidly evolving technologies into varying parts of their operations to accomplish efficiencies and stay at the cutting edge of the competitive landscape.
Some of the most commonly implemented scenarios for the implementation of biometric data processing and, by extension, the need for compliance include the following:
Biometrics in Employment and Recruiting
Biometric data usage in the recruiting and employment context is under intense scrutiny. For instance, Amazon faced a lawsuit for using and sharing the biometric data of their employees without proper consent due to potential violations of biometric and privacy laws.
Biometrics in Public Places and Retail
Biometric technologies are increasingly used in public places and retail environments for payment and security to prevent theft. However, businesses must navigate the legal requirements for biometric data collection and use, ensuring transparency and consent from individuals to prevent legal actions.
Social Media and Internet Platforms
Social media and internet platforms frequently face regulatory enforcement and private actions for improperly using biometric data. Notable cases include regulatory and private actions against Facebook and Twitter for failing to obtain proper consent and mishandling biometric data. That said, there is much nuance about what is deemed biometrics. For example, Facebook’s photo tagging technology to identify friends on social media has been deemed in at least certain contexts, such as BIPA, not to be biometric due to how the technology works.
Whole Foods NYC
Biometrics Notice
Web Scrapers
One of the most notorious uses of photographs scraped online and, by extension, potential biometric privacy and compliance applications, are vendors such as Clearview that hoover up millions if not billions of images and then sell offerings to law enforcement, among other clients access to vast databases with image and facial recognition use cases. Clearview has been the target of both private actions alleging noncompliance with various laws ranging from BIPA to the GDPR, which have resulted in orders to stop their activities as well as monetary settlements on numerous occasions, including a $33 million fine from a Dutch regulator.
Helping Clients Navigate Biometric Privacy Compliance
At RICHT, as a privacy lawyer guiding clients on the ever-evolving regulatory landscape, we help clients ensure compliance with biometric and related privacy laws, including:
- Drafting and reviewing privacy policies and consent forms
- Conducting data protection assessments and audits
- Implementing DSAR and other privacy rights compliance
- Advising on data retention and cybersecurity practices
- Counseling clients in regulatory enforcement actions and litigation
We understand the nuanced requirements of biometric and privacy laws across various jurisdictions and sectors. By partnering with us, you can confidently capitalize on biometrics and related technologies while accounting for the legal compliance landscape to protect your business from potential risk.
Find Out How A Biometric Privacy Compliance Lawyer Can Help
Biometric Privacy Compliance News
- Liability Reduced For Companies Facing Biometric Data Privacy Violations: Changes to the Illinois Biometric Information Privacy Act create a more reasonable risk environment for companies that might otherwise face huge penalties.
- Meta Reaches $1.4 Billion Settlement With Texas Over Privacy Violations: The parent company of Facebook and Instagram faced allegations that it had collected facial identification information on millions of users in violation of a state law.
- X Wants Permission To start Collecting Your Biometric Data And Employment History: X, the platform previously known as Twitter, is expanding the amount of data it collects on users. The social network has updated its privacy policy to include carveouts for “biometric information” and “employment history,” as spotted by Bloomberg.
- Illinois Governor Signs BIPA Amendment into Law: On Aug. 2, Illinois Gov. J.B. Pritzker signed Senate Bill 2979, which amends the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA). The bill clarifies that a private entity that more than once collects or discloses the same biometric identifier or biometric information from the same person via the same method of collection in violation of the BIPA has committed a single violation for which an aggrieved person is entitled to, at most, one recovery.