top of page

Biometrics law in the USA



In our last post, we discussed the state of biometric data from the GDPR’s perspective along with some prominent cases in the EU. This post will focus on the regulatory landscape around biometric data in the US.


The USA does not have a single, comprehensive federal law regulating the collection and usage of biometric data. However, some states do have biometrics law in action—along with some proposed—that place obligations on organizations’ way of biometric data collection and usage.


HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law and is enforced by the Office for Civil Rights (OCR). It is specially designed to ensure medical data privacy and protection and regulates the use, sharing, and disclosure of Protected Health Information (PHI)—biometrics data of which is a part—by covered entities. Because biometrics fall under the category of PHI, HIPAA requires entities to ensure adequate technical, administrative, and physical safeguards are in place to protect the confidentiality, integrity, and availability of the data. HIPAA doesn’t provide for a private cause of action brought by individuals.


Illinois

Illinois became the first state in the US to set forth a biometric data privacy law—Biometric Information Privacy Act (BIPA) (740 ILCS 14), passed in 2008—that regulates the collection, usage, and handling of biometric identifiers and information by private entities. BIPA applies to a variety of industries, ranging from healthcare to retail to hospitality to any employer who uses fingerprint technology for time-keeping purposes. Like PHI in relation to HIPAA, BIPA requires organizations to provide notice that biometric data is being collected and stored. It also requires specifying purpose and time for which that data will be used and stored; and obtaining written consent of the data subject before processing biometric data.

BIPA litigation

Since the time, in January 2019, Illinois Supreme Court held that an individual does not have to demonstrate actual “harm” to establish that he or she is “aggrieved”, it has opened a door for increased filing of BIPA class actions by plaintiffs. It indicates issues around the collection of biometrics, especially by employers for timekeeping purposes.

According to Courthouse News Service, 213 BIPA cases were filed in 2018 and 2019 in Illinois state and federal courts. In 2020, at least 54 court rulings referenced BIPA. Among all, fingerprints remained the most frequently sued-over biometric, with faceprints making the second most popular target of litigation. Let’s understand with the cases mentioned below how plaintiffs using their private right of action are highlighting issues around the collection and usage of biometrics:

  • Fingerprints Several cases point out suppliers of equipment and employers that use fingerprints (or algorithms derived therefrom) for timekeeping purposes as direct defendants. For example, Wendy’s, a fast-food chain, faced a class-action suit in the state of Illinois for unlawfully collecting and storing employee fingerprints.


  • Face ID Plaintiffs have also targeted algorithms that recognize faces. Apple got sued over the Face ID feature, which allows iPhone and iPad users to unlock their devices with their faces. In other cases, apps that scan users’ facial geometry to display the image of the user’s face — not actually recognizing them — were also targeted by plaintiffs. For example, Mary Kay Cosmetics and Ulta Beauty were sued over makeup try-on apps that superimpose makeup on a user’s face.


  • Voiceprints Voiceprints as well are gaining traction in litigation. Plaintiffs have targeted voice recognition technology used by Amazon’s Alexa to recognize consumer queries. As BIPA currently lacks a clear definition of what constitutes “voiceprint”, this area remains grey for companies using voice recognition technology. In another instance, McDonald’s has been the target of plaintiffs, for its use of voice recognition technology to recognize repeat customers at its drive-through windows.


  • Profiting from biometric data Defendants profiting from biometric data yet make another testing ground for plaintiffs that find selling, leasing, trading, or otherwise profiting from biometric data in violation of BIPA § 15(c). The argument hinges upon the very idea that defendants use biometrics data to create a product or service — ultimately profiting. Another tactic that plaintiffs have been relying upon is that by marketing a product or service with an emphasis on features that allegedly rely on biometric data, a defendant gains competitive marketing advantage, which results in their increased profits.

Texas Texas followed suit and enacted CUBI (Capture or Use of Biometric Identifier Act) in 2009. CUBI (Tex. Bus. & Com. Code Ann. § 503.001) applies to the collection of biometric identifiers for commercial purposes. Under CUBI, companies are required to provide individuals with a notice regarding biometric identifier capturing and obtain their written consent beforehand. In addition, CUBI prohibits companies from selling, leasing, or disclosing any biometric identifier with exceptions in the case individual consents for identification purposes in the event of disappearance or death; the disclosure is made for purposes of financial transaction requested or authorized by the individual itself; disclosure is required or permitted by federal or state statute; or the disclosure is made in response to a warrant.

Washington Washington, following Illinois and Texas, passed a biometric law, House Bill 1493 in 2017. Unlike Illinois and Texas statutes, H.B. 1493 has no reference of a record or scan of face geometry under the definition of biometric identifier. It also explicitly excludes physical or digital photographs, video or audio recordings or data generated therefrom, including certain health-pertinent data pursuant to HIPAA, from the definition of biometric identifier. Unlike Illinois and Texas statutes, H.B. 1493 limits its focus to the enrollment process of biometric identifiers. Additionally, it contains a broad security exception that exempts an entity from collecting, enrolling, or storing biometric identifiers in furtherance of a security purpose. This law too does not create a private right of action.


Louisiana

Louisiana in 2018 amended its Data Breach Security Notification Law (Louisiana Revised Statutes 51:3071, et seq.) by including biometric identifiers under the definition of personal information. The law requires entities collecting and processing biometrics data to inform of the breach to affected residents within 60 days. Currently enforced by the Louisiana Attorney General, this law is the second state in the US to provide for private rights of action.


Arkansas

Arkansas in 2019 amended its Personal Information Protection Act (PIPA) by expanding the scope of covered information under its data breach response law to include biometric data. The law requires companies to report any breach that affects 1,000 or more individuals to the Arkansas Attorney General. This law as well does not create a private right of action.


California

On January 1, 2020, California became the fourth US state to pass a biometric law, CCPA. California’s Consumer Privacy Act (CCPA, Sec. 1798.100) closely follows BIPA and GDPR, requiring businesses to comply with all the CCPA’s obligations in respect of any biometric information they collect, use, store, or share. If an organization fails to employ adequate security measures in aid of personal data protection and, therefore, suffers a breach, it can be subject to a class action under the private right of action with a statutory penalty of between $100 and $750 per consumer per incident.


Oregon

Following the national trend of expanding the definition of personal data and identity theft protection, Oregon, too, amended its Consumer Information Protection Act (OCIPA, ORS 646A-600, et seq.) to include protection for biometrics identifiers. The law requires vendors to notify the state Attorney General if a data breach suffered by them affects at least 250 Oregon state residents. Also, the affected individuals must be notified within ten days of the breach. Oregon’s updated law doesn’t provide for private rights of action. An interesting development about the Oregon law is that the city of Portland is the first in the entire United States to ban facial recognition technology use within the private sector.


New York

New York has recently passed two new biometric laws, the Tenant Data Privacy Act (TDPA) and an amendment to the New York City Administrative Code (NYC Administrative Code). Both laws set forth a private right of action.

The TDPA specifically targets owners of multifamily dwellings. It addresses privacy issues around the use of smart access systems for entry into premises that use keyless entry systems (e.g., key cards, phone access, fingerprint). NYC Administrative Code regulates biometric data collection by commercial establishments, including places of entertainment, retail stores, food & drink establishments, etc.

New York also revised its existing data-breach notification law with its 2019 Stop Hacks and Improve Electronic Data Security (SHIELD) Act to broaden the scope of private information to include biometric information. The SHIELD Act provides for limited private rights for New York residents. Earlier, New York had also passed a limited biometric law, N.Y. Lab, which applies specifically in the employment sector, prohibiting the use of fingerprinting as a means for securing employment or of continuing employment.


New laws on the horizon

As the commercial collection and use of biometrics data becomes more commonplace, the US has its other states working on carrying out their own state-exclusive biometric privacy laws. 27 states have BIPA-modeled legislation pending and only 5 states — Connecticut, Indiana, Minnesota, Montana and Utah — do not propose a private cause of action. It’s only a matter of time before biometrics protection laws get adopted in one form or another by all fifty states.

Comments


Featured Posts

Recent Posts

Follow Us

  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page