Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our California newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (October 21, 2020, 5:56 PM EDT )
Nicola Menaldo |
Alison Caditz |
But does implementing biometric technologies that promote health and safety also increase the risk of a lawsuit? Here are the basics of what you need to know about U.S. biometrics law if your company is considering adopting — or is developing — a biometric-enabled solution to the workplace during the pandemic.
What are biometrics?
The term "biometrics" can mean many things, and the definitions matter. In a general sense, biometrics are unique biological or physiological characteristics — everything from fingerprints to heart rate to odor. But the ordinary meaning of biometrics may not align with the term's legal meaning. Four states — Texas, Washington, Illinois and California — regulate biometrics, and each statute defines the term differently.
Texas defines biometrics most narrowly, covering a discrete list of biometric identifiers: "retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry."[1]
The Illinois Biometric Information Privacy Act covers those same identifiers — "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry" — but also applies more broadly to information based on such identifiers when used to identify an individual.[2]
Illinois' law also includes many exclusions, including for writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions or physical descriptions such as height, weight, hair color or eye color.
Washington's law is both broader and narrower than the Illinois and Texas laws. Washington defines "biometric identifiers" more expansively in that the definition encompasses any "data generated by automatic measurements of an individual's biological characteristics" — and could thus cover new technologies that measure, for example, unique gait or heartbeat patterns.[3]
But Washington's law is also narrower in that it only applies when a person "enroll[s] a biometric identifier in a database for a commercial purpose"[4] — i.e., stores biometric identifiers matched to specific individuals and shares that data with third parties for marketing purposes unrelated to the purpose for collection.[5]
Lastly, the California Consumer Protection Act — a sweeping privacy statute that covers biometrics and many other types of personal information — defines biometrics most broadly. Biometrics include, without limitation, imagery of fingerprints, face scans and vein patterns, imagery from which a faceprint can be extracted, as well as gait patterns and sleep, health or exercise data that contain identifying information.[6]
The California Privacy Rights Act, a proposed law that will be on the November ballot, would create a new category of "sensitive personal information" that includes biometric information as well as, for example, financial information, geolocation, religious beliefs, text messages and ethnic origin.
What should you do before collecting biometrics?
The risk is high enough, and the requirements sufficiently complex, that it is worth reaching out to counsel before collecting or otherwise obtaining biometrics. Some of the basic requirements are described below.
In Texas and Illinois, both advance notice and consent are required.[7] And beware: Illinois law defines very specifically the types of required notice and consent, i.e., written consent and disclosures that biometrics are being collected or stored, as well as the purpose and length of time for collecting, storing or using the data.[8]
Washington requires advance notice and consent, or, alternatively, providing "a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose."[9]
In California, only advance notice is required, not consent.[10]
What other obligations apply when collecting biometrics?
Both Illinois and Texas specify the length of time that biometrics can be stored,[11] and Illinois additionally requires a publicly available retention schedule. Illinois and Texas also impose limitations on third-party disclosures and security requirements.[12] Illinois prohibits profiting from biometrics, as well as selling, leasing or trading biometrics.[13]
The Washington law also imposes requirements related to retention, disclosures and security.[14]
Collecting biometrics in California subjects businesses to the requirements of the CCPA as a whole with respect to that data, including the obligation to respond to individual consumer requests, such as requests to access or delete the data.[15]
What are the risks of collecting biometrics?
The risk is greatest in Illinois, as BIPA is enforced exclusively through its private right of action. Plaintiffs can sue as a class and recover up to $5,000 per violation in statutory damages.[16] What constitutes a violation is an open question. Nearly 800 BIPA lawsuits have been filed in the last five years, some settling for tens of millions of dollars or more.
Although California's CCPA also includes a private right of action that consumers can invoke when their personal information is subject to unauthorized disclosure, that right is meant to be narrow and the statute is generally enforced by the attorney general.[17] Washington's and Texas' biometrics laws, by contrast, are enforced exclusively by the attorney general but civil penalties are significant.[18]
What should you consider when collecting biometrics?
Because each biometrics statute is unique, companies should ask the following questions in assessing potential litigation risk associated with adopting or developing a biometric-enabled solution:
Does it meet the definition of "biometrics" under applicable state law?
Depending on the state and the technology, a biometrics statute may not even be triggered — for instance, temperature alone may not trigger obligations under biometrics laws, whereas collecting without consent a face scan plus temperature would be very risky.
In China, for example, tablets in public buses measure passengers' temperature and take and store their photographs for contact-tracing purposes. A closer analysis of that technology would be necessary to evaluate whether it would trigger U.S. laws if used here.
Companies are also developing biometric technologies that identify faces wearing masks, detect whether people are wearing masks and enable touchless solutions through facial recognition, e.g., to open doors. The unique features of each technology will dictate whether a biometrics statute applies.
Can you be liable if you don't store the data, and, if you store it, should you associate it with other personally identifiable information?
Courts continue to evaluate the reach of U.S. biometrics statutes, but, in general, it is riskier to store biometrics with other personally identifiable information. For example, in California, biometric data falls within the scope of the statute only if the data "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."[19]
And in Washington, biometric data must be captured then "convert[ed] ... into a reference template that cannot be reconstructed into the original output image, and store[d] ... in a database that matches the biometric identifier to a specific individual."[20]
Will the data be used for any purpose other than for COVID-19-related purposes?
If so, you may run into trouble. Illinois' statute prohibits selling, leasing, trading or "otherwise profit[ing]" from biometric data.[21] Similarly, Washington's statute is triggered when a person "enroll[s] a biometric identifier in a database for a commercial purpose,"[22] and Texas' law bars "captur[ing] a biometric identifier of an individual for a commercial purpose."[23] Additionally, all three statutes require consent to disclose biometric data.
Notably, two competing federal COVID-19 privacy bills were introduced in May — one by Democratic senators, and the other by Republican senators — both of which require companies to collect personal information to track the spread of COVID-19, explain to consumers how their data would be used and who it would be shared with, and then obtain consent to collect it.[24]
Both bills prohibit companies from reusing data for other purposes, such as building advertising profiles of individuals, and both require companies to delete any information that could identify consumers once the pandemic ends.
The version introduced by Sen. Roger Wicker, R-Miss., applies only to private entities, preempts state law and contains no private right of action. By contrast, the version introduced by Sen. Richard Blumenthal, D-Conn., covers private and public entities, does not preempt state law and contains a private right of action that would allow individuals to sue. Congress has yet to take action on either of these bills.
Where will the data be processed and stored?
Can processing and storage be done on employees' own devices? These questions are significant. Illinois' statute regulates the collection and possession of biometrics,[25] and California's statute only applies to for-profit entities that collect consumers' personal information.[26]
Liability under Texas and Washington law requires at least a capture of biometric data.[27] There is very little court interpretation of these terms so far, but if you offer a technology where consumers or employees both process and store the biometric data, for example, on their own devices, your risk may be lower.
Biometric technology is here to stay, and the pandemic has only accelerated its adoption.
Nicola Menaldo is a partner and Alison Caditz is an associate at Perkins Coie LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] Tex. Bus. & Com. Code § 503.001(a).
[2] 740 ILCS 14/10.
[3] Wash. Rev. Code § 19.375.010(1).
[4] Id. § 19.375.020(1).
[5] Id. § 19.375.010(4), (5).
[6] Cal. Civ. Code § 1798.140(b).
[7] Tex. Bus. & Com. Code § 503.001(b); 740 ILCS 14/15(b).
[8] 740 ILCS 14/15(b).
[9] Wash. Rev. Code § 19.375.020(1).
[10] Cal. Civ. Code § 1798.105.
[11] 740 ILCS 14/15(a); Tex. Bus. & Com. Code § 503.001(c)(3).
[12] 740 ILCS 14/15(a).
[13] Id. § 14/15(c).
[14] Wash. Rev. Code § 19.375.020.
[15] See, e.g., Cal. Civ. Code § 1798.105.
[16] 740 ILCS 14/20.
[17] Cal. Civ. Code §§ 1798.150, 17898.155.
[18] Wash. Rev. Code § 19.375.030; Tex. Bus. & Com. Code § 503.001(d).
[19] Cal. Civ. Code § 1798.140(o)(1).
[20] Wash. Rev. Code § 19.375.010(5).
[21] 740 ILCS 14/15(c).
[22] Wash. Rev. Code § 19.375.020(1).
[23] Tex. Bus. & Com. Code § 503.001(b).
[24] See COVID-19 Consumer Data Protection Act of 2020, S.3663, 116th Cong. (2019-2020) (republican bill); Public Health Emergency Privacy Act, S.3749, 116th Congress (2019-2020) (democratic bill).
[25] 740 ILCS 14/15.
[26] Cal. Civ. Code § 1798.140(c).
[27] Tex. Bus. & Com. Code § 503.001(b); Wash. Rev. Code § 19.375.010(5).
For a reprint of this article, please contact reprints@law360.com.