Biometric Privacy Compliance Lawyer

Navigating the complexities of biometrics is complex, in large part because of the fast pace in which new biometric privacy laws are passed and also because of the patchwork biometrics regulatory landscape on the city, state, federal, and international levels. Not ensuring compliance with biometric laws can result in costly litigation as well as reputational and regulatory enforcement risk.

Some of the most notable laws to account for fall into three main categories – biometric-specific laws, components of comprehensive privacy laws that apply to biometrics, and city-level ordinances applicable to biometric information, which we further outline below:

Biometric-Specific Laws

Some of the most widely known biometric privacy laws are those that are “standalone” biometric-specific privacy laws aimed at solely regulating biometrics. These laws are contrasted by other laws, such as comprehensive privacy laws, which we discuss further below, which are broad-ranging but have biometric compliance components.

We overview two of the most widely knows biometric-specific state privacy laws below:

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) is one of the original and most actively litigated biometric laws and sets stringent requirements for the collection, use, and storage of biometric identifiers and information. BIPA mandates informed consent, data retention policies, and the protection of biometric data. Non-compliance can lead to significant financial penalties and private actions. Most of the litigation on BIPA are costly class actions, which can be tracked here.

Texas’ “Capture or Use of Biometric Identifier” Act (CUBI)

Texas’ Capture or Use of Biometric Identifier Act (CUBI) also governs the collection and use of biometric data. CUBI requires businesses to inform individuals and obtain consent before capturing their biometric identifiers. The act emphasizes the importance of safeguarding biometric data to prevent unauthorized use and potential breaches. To illustrate the cost of non-compliance, Meta reached a $1.4 Billion settlement for violating CUBI with Texas’ attorney general, Ken Paxton. The allegation that resulted in the significant settlement centered on the collection of facial recognition information on millions of users in violation of state law by automatically tagging users’ faces on Facebook.

Comprehensive State and International Privacy Laws

Certain comprehensive privacy laws on the state level, such as California’s CCPA as amended by the CPRA and Colorado’s CPA, among numerous others, have components that specifically apply to the collection and use of biometrics. Further comprehensive international privacy laws, such as the European Union’s GDPR and the United Kingdom’s equivalent law, provide added conditions for biometric data processing. Lastly, health privacy laws, such as Washington MHMDA, have biometric applications as well.

City-Specific Laws

Several cities or similar jurisdictional-specific biometric privacy laws exist, including New York City’s, which, due to the large number of businesses within its scope, is more overarching than other county or city-specific laws.

New York City Biometric Identifier Information Law

New York City has enacted its own biometric-specific regulations, requiring businesses to disclose their use of biometric identifier technology and obtain consent from individuals before collecting their biometric data. Non-compliance can result in civil penalties and damage to reputation.

Sector-Specific Biometric Processing Applications Increasing

As biometrics and other assistive technologies, such as artificial intelligence, further advance, businesses of all types and sizes are incorporating rapidly evolving technologies into varying parts of their operations to accomplish efficiencies and stay at the cutting edge of the competitive landscape.

Some of the most commonly implemented scenarios for the implementation of biometric data processing and, by extension, the need for compliance include the following:

Biometrics in Employment and Recruiting

Biometric data usage in the recruiting and employment context is under intense scrutiny. For instance, Amazon faced a lawsuit for using and sharing the biometric data of their employees without proper consent due to potential violations of biometric and privacy laws.

Biometrics in Public Places and Retail

Biometric technologies are increasingly used in public places and retail environments for payment and security to prevent theft. However, businesses must navigate the legal requirements for biometric data collection and use, ensuring transparency and consent from individuals to prevent legal actions.

Social Media and Internet Platforms

Social media and internet platforms frequently face regulatory enforcement and private actions for improperly using biometric data. Notable cases include regulatory and private actions against Facebook and Twitter for failing to obtain proper consent and mishandling biometric data. That said, there is much nuance about what is deemed biometrics. For example, Facebook’s photo tagging technology to identify friends on social media has been deemed in at least certain contexts, such as BIPA, not to be biometric due to how the technology works.

Whole Foods NYC
Biometrics Notice

Web Scrapers

One of the most notorious uses of photographs scraped online and, by extension, potential biometric privacy and compliance applications, are vendors such as Clearview that hoover up millions if not billions of images and then sell offerings to law enforcement, among other clients access to vast databases with image and facial recognition use cases. Clearview has been the target of both private actions alleging noncompliance with various laws ranging from BIPA to the GDPR, which have resulted in orders to stop their activities as well as monetary settlements on numerous occasions, including a $33 million fine from a Dutch regulator.

Helping Clients Navigate Biometric Privacy Compliance

At RICHT, as a privacy lawyer guiding clients on the ever-evolving regulatory landscape, we help clients ensure compliance with biometric and related privacy laws, including:

Drafting and reviewing privacy policies and consent forms
Conducting data protection assessments and audits
Implementing DSAR and other privacy rights compliance
Advising on data retention and cybersecurity practices
Counseling clients in regulatory enforcement actions and litigation

We understand the nuanced requirements of biometric and privacy laws across various jurisdictions and sectors. By partnering with us, you can confidently capitalize on biometrics and related technologies while accounting for the legal compliance landscape to protect your business from potential risk.

Find Out How A Biometric Privacy Compliance Lawyer Can Help

Biometric Privacy Compliance News

US states take a page from EU’s AI Act, but biometrics impact likely minimal: America is grappling with how to regulate AI. A divide has opened up between the approaches of the federal and state governments, leading some like the Hyperdimensional Substack to suggest that the EU AI Act is being replicated across the Atlantic. But for biometrics providers, there are some important differences between state legislative efforts and the EU’s regulation.
Liability Reduced For Companies Facing Biometric Data Privacy Violations: Changes to the Illinois Biometric Information Privacy Act create a more reasonable risk environment for companies that might otherwise face huge penalties.
Meta Reaches $1.4 Billion Settlement With Texas Over Privacy Violations: The parent company of Facebook and Instagram faced allegations that it had collected facial identification information on millions of users in violation of a state law.
X Wants Permission To start Collecting Your Biometric Data And Employment History: X, the platform previously known as Twitter, is expanding the amount of data it collects on users. The social network has updated its privacy policy to include carveouts for “biometric information” and “employment history,” as spotted by Bloomberg.
Illinois Governor Signs BIPA Amendment into Law: On Aug. 2, Illinois Gov. J.B. Pritzker signed Senate Bill 2979, which amends the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA). The bill clarifies that a private entity that more than once collects or discloses the same biometric identifier or biometric information from the same person via the same method of collection in violation of the BIPA has committed a single violation for which an aggrieved person is entitled to, at most, one recovery.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.