The growing legal and regulatory implications of collecting biometric data
In the last few years, biometric technologies from fingerprint to facial recognition are increasingly being leveraged by consumers for a wide range of use cases, ranging from payments to checking luggage at an airport or boarding a plane. While these technologies often simplify the user authentication experience, they also introduce new privacy challenges around the collection and storage of biometric data.
In the US, state regulators have reacted to these growing concerns around biometric data by enacting or proposing legislation. Illinois was the first state to enact such a law in 2008, the Biometric Information Privacy Act (BIPA). BIPA regulates how private organizations can collect, use, and store biometric data. BIPA also enabled individuals to sue individual organizations for damages based on misuse of biometric data.
Though it is a decade old, BIPA has gained renewed recent prominence owing to a January 2019 Illinois Supreme Court ruling, Rosenbach v. Six Flags. In this case, parents of a minor sued the Six Flags Great America amusement park in Gurnell, Illinois, arguing that biometric data was collected without consent and violated BIPA. As a side note, amusement parks increasingly require individuals to scan their ticket, followed by a biometric scan at a turnstile. This process is primarily an anti-fraud measure — if you manage to lose your ticket/pass, you provide your biometric data at a customer service counter to obtain a new one. This process reduces fraudsters from trying to get a free pass by claiming it is lost.
The Illinois Supreme Court reversed the lower court rulings and ruled that Six Flags had violated BIPA. Importantly, the Illinois Supreme Court ruled that plaintiffs did not have to demonstrate damages or harm (such as identity theft) from the collection of biometric data. The improper collection of biometric data was enough to enable individual consumers to sue organizations under BIPA.
This decision is a win for consumer and privacy rights and will lead to more legal challenges to BIPA, many of which are already working through the court system. One case to monitor is Patel v. Facebook, which is currently under review in the Ninth Circuit Court of Appeals in San Francisco and involves challenges against Facebook’s tagging of facial images uploaded to Facebook.
Massachusetts, New York, and Michigan all have privacy bills in development that have similar requirements to BIPA, and more states are likely to consider drafting laws governing the collection, usage, and storage of biometric data.
These developments do not mean the death knell of biometrics. They merely indicate that organizations that are considering collecting biometric data must adhere to privacy-by-design approaches and provide proper disclosure, consent, and opt-out requirements, as well as pay attention to this increasingly complex legislative environment to ensure that biometric data collection and retention is being done in accordance with these emerging laws.