Privacy Regimes for Protecting Biometric Information

September 2019

Enforcement of biometric privacy laws has been on the rise, starting with the Illinois case Rosenbach v. Six Flags (discussed in a January alert), which held that statutory non-compliance with the Illinois Biometric Information Privacy Act (BIPA) constitutes sufficient injury to permit suits for damages and injunctive relief. The acquisition of biometric information also is being scrutinized under the European Union's (EU's) General Data Protection Regulation (GDPR), with the Swedish Data Protection Authority recently issuing a $20,650 fine to a school that used biometric facial recognition technology to record attendance.

The uniqueness of biometric information can be useful to verify identities and prevent fraud. However, because of the potential fines and harm to individuals, businesses should ensure that their use and protection of biometric information complies with applicable law. Various privacy laws differ in how they address the collection and protection of biometric information.

General Data Protection Regulation (GDPR)

Under the GDPR, biometric data is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” The GDPR classifies biometric data as a “special category of personal data,” which means that processing of biometric data is permitted only under conditions enumerated in the regulation, such as explicit consent of the data subject, the performance of specific contracts, or processing for certain purposes. 

Additionally, the GDPR requires a data protection impact assessment for large-scale processing of biometric data. Among other things, this assessment must assess the risks to the rights and freedoms of the data subject, including measures to address these risks. If the assessment indicates that processing would result in a high risk in the absence of measures to mitigate this risk, the data controller must consult the appropriate supervisory authority before processing any biometric data.

The GDPR expressly permits EU member states to impose additional conditions or limitations for the processing of biometric data. As such, data controllers should expect to encounter and comply with differing approaches from member states regarding biometric data processing. For example, although explicit consent permits processing of biometric data, the Swedish Data Protection Authority noted that consent was not valid in the above case of a school being fined, because the students were dependent on the school.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) defines “biometric data” similarly to the GDPR and includes deoxyribonucleic acid (DNA), iris and retina scans, fingerprints, vein patterns, voice recordings, and sleep, health, or exercise data that contain identifying information. Unlike the GDPR, the CCPA does not create a separate or more protective regime for biometric data. The CCPA explicitly notes that publicly available information does not include biometric data collected by businesses without the permission of consumers. Therefore, like any other personal information, biometric information is covered by the CCPA, except that the private right of action for breach under the CCPA does not include biometric information.

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act (BIPA) governs how entities operating in Illinois collect, process, and use consumers’ biometric data. It requires these businesses to obtain explicit written consent from a consumer before collecting any biometric identifiers. The BIPA also requires written notice to individuals when collecting or storing biometric identifiers, and it mandates disclosure of the specific purpose and duration for which that data are kept.

The Illinois Supreme Court’s decision in Rosenbach v. Six Flags ("Rosenbach") spurred legislative attempts to curtail the holding that statutory non-compliance was sufficient injury to bring suit. A bill from the Illinois Senate would have removed the private right of action; however, it failed to pass. Rosenbach has also created a ripple in the courts. For example, earlier this month in California, the U. S. Court of Appeals for the Ninth Circuit analyzed claims under the BIPA relating to Facebook’s use of facial recognition technology to suggest “tags” in pictures. The Court agreed with the Illinois Supreme Court’s interpretation of the BIPA in Rosenbach and concluded that statutory violations alone are sufficient to bring suit. The Court also analyzed whether the BIPA had extraterritorial effect and held that it is “reasonable to infer that the [Illinois] General Assembly contemplated BIPA’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.”

Other State Laws

Texas and Washington also have existing biometric privacy laws, although these states and Illinois take somewhat different approaches to biometric information.  For example, like the BIPA, the Texas law requires businesses to inform individuals about collecting biometric identifiers and to receive consent before collecting them. However, Washington’s statute requires notice, consent, or an opt-out mechanism only for “enrolled” biometric identifiers, meaning those captured, converted into a reference template that cannot be reconstructed into the original output image, and stored in a database that associates the biometric identifier with the specific individual. Notably, the Washington statute’s limitations on disclosure and retention of biometric identifiers do not apply to biometric identifiers that have been “unenrolled” or that are enrolled for a security purpose. Last, unlike the BIPA, both the Texas and Washington laws allow enforcement only from the attorney general and do not permit a private right of action.

Although some states have not gone as far as to enact biometric privacy laws, recently, certain states, including New York and Arkansas, have revised their data breach notification laws to include biometric information as “personal information.” Elsewhere, more biometric information legislation is on the horizon, as Arizona, Florida, and Massachusetts have each proposed laws governing biometric information in 2019. While Arizona and Florida proposals failed this session, the Massachusetts law is still under consideration.

If you need assistance complying with biometric information laws or other privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.