Biometrics is one of the emerging battlegrounds in consumer data privacy that continues to appear on state government agendas and in courtrooms. Biometrics is a term that refers to the measurement and calculation of body characteristics, such as fingerprints or retina scanning.
Several recent biometric privacy class action settlements include holding companies accountable for safeguarding consumer privacy, asking for consumer consent, and providing consumers with opt-outs to data sharing. Companies are taking proactive measures that allow them to remain agile amid evolving state and federal compliance obligations.
Biometric Data Privacy Laws
In 2008, Illinois became the first state to pass a biometric data privacy law. Legislators designed the Biometric Information Privacy Act (BIPA) to guard against the unlawful collection and storing of biometric data. The law requires any business that collects and stores facial recognition photos, fingerprints, iris scans, and DNA to provide details on how the personally identifiable information is stored and protected. While Washington and Texas have since passed similar laws, they do not extend as far as BIPA in expressly allowing citizens to file lawsuits for damages arising from violations. By law, Illinois residents could receive $1,000 in cases of recklessness or $5,000 if it can be proven the misconduct was willful.
California notably passed the nation’s broadest privacy reforms, which included biometric data in the scope. The California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, requires covered entities to provide notice about how biometric data is used, stored, and shared, and specifically provides a private right of action if biometric data is involved in a security breach. While this law only applies to business conducted in California, companies should anticipate that more states will follow suit by addressing biometric data specifically in future consumer privacy laws.
At the federal level, pressure is mounting to pass a comprehensive, blanket consumer privacy law that addresses biometrics and applies uniformly to all states. The current discussion is not about whether there will be such a law, rather how will it apply. Should federal law circumvent states, or should it merely serve to bring lax states up to a common standard? Should states be permitted to craft stricter rules for their own constituents if they believe the federal law does not extend far enough?
Enforcement is another matter under debate. Should federal law provide citizens with a private right of action and permit personal compensation? Or should enforcement be limited to regulatory authorities, such as the Federal Trade Commission, only subject to government fines and penalties?
Biometric Privacy Class Action Settlements Likely to Follow on Facebook’s Heels
Social media giant Facebook was involved in one of the most significant biometric privacy class action settlements to date. Mark Zuckerberg’s company recently agreed to a proposed $550 million BIPA violations settlement. The class action suit alleged that Facebook began mapping users’ faces in 2011 to recognize individuals in photos and auto-suggest tags without user permission. Since the defendant is based in California, the class action was filed there, despite the claim relating to plaintiffs based in Illinois.
U.S. District Judge James Donato of the Northern District Court of California wondered why the class size was so modest, considering that millions of users had uploaded photos of themselves to Facebook since that time. He also sought an explanation as to why the $5,000 penalty was taken off the table, considering Facebook paid the FTC $5 billion in 2019 for deceiving users regarding how long their private information was under their control. As of June 2020, the matter was still pending in court.
Biometric data class action claims are expected to increase considerably. Facebook’s lawsuit joins a long, growing list of big businesses caught up in lawsuits claiming BIPA violations, which includes the likes of Google, Walgreens, Dr. Pepper, WeWork, and The Home Depot.
Biometric Data Privacy Concerns?
If you are a law firm or company with biometric data privacy concerns, you are not alone. Experts at Kroll Settlement Administration have been tracking consumer privacy laws, court opinions, and recent settlements across the country in administering class action claims. We are experts at guiding you through court approval, particularly in large, complex settlements. Contact us for a free consultation and quote on services.