Ever since the enactment of the Illinois Biometric Information Privacy Act (BIPA), we have been watching the development of laws around the collection, use, disclosure and retention of biometric information. In general, BIPA and other biometric information privacy laws enacted since BIPA, require any company that is collecting biometric information, such as fingerprints, voice recognition, retinal scans or facial scans, to provide notice to individuals from whom they are collecting this information that they are collecting the biometric information, the purpose for which it is being collected and used, to whom they are disclosing it, and how long they are retaining it. The laws usually require companies to put appropriate security measures in place to protect  the biometric information.

Litigation is rampant with BIPA and other biometric information privacy laws. For instance, recently, a fast food chain was sued for using voice recognition technology in its drive-through facilities without providing notice to consumers and obtaining consent.

The reason for these laws is pretty clear—this information is highly sensitive and unique to each person and if it is compromised, it could be significant or even catastrophic for the people whose information is compromised. As I say, we have only one face, one set of fingerprints, a unique voice, and two irises. If a bad actor were to get ahold of this unique information, they could use it for nefarious purposes, including to steal our identity in very significant ways.

These laws, similar to the California Consumer Privacy Act (CCPA), include a private right of action if the company fails to comply with the provisions of the law. This means that if a company does not provide notice of the collection, use, disclosure and retention of the information, or if there is a compromise of the information, individual consumers can directly sue the company for failing to comply with the law and without showing actual harm, damages or consequences. This can lead to costly litigation.

It is hard (but necessary) for a full-time privacy professional like me to keep up with these laws, let alone businesses that are not focused on this area of law. Biometric laws are popping up like drone laws used to pop up back in the day on the state, county, city and municipal level. For instance, the City of New York has enacted a biometric law that becomes effective next month that applies to a “commercial establishment” in New York City, which means “a place of entertainment, a retail store, or a food and drink establishment,” that requires the business to place a “clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language…that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The law further prohibits the sale of biometric information.

The New York City ordinance differs from BIPA and other state laws in that  it (1) does not apply to employees of companies; (2)  does not apply to financial institutions; and (3)  does not apply to governmental entities. The similarity of the statutes however, is that they both contain a private right of action for consumers. The New York City law states that an aggrieved person can sue the company for a violation of the law after first  giving the company thirty days’ notice to cure the violation. This is similar to the private right of action in the CCPA (an individual may seek damages of $500 for each violation, up to $5,000 for each intentional or reckless violation, and receive reasonable attorneys’ fees and costs, expert witness fees, litigation expenses and injunctive relief).

New York City establishments—take note. Other establishments—understand that this is a rapidly developing area of privacy law that is difficult to monitor and may be tricky to comply with on a national, state, and municipal level. If you are collecting any biometric data from employees or consumers, you may wish to consider implementing a biometric information compliance program.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.