chevron-down Created with Sketch Beta.
December 12, 2023 Best of ABA Sections

Regulating and Litigating Biometric Privacy Rights

Garylene (Gage) Javier

Biometric identifiers are becoming the basis of a diverse array of highly secure identification and authentication technologies that people and businesses utilize daily. This article explores the current biometric landscape and discusses some of the key matters associated with litigating biometric privacy issues.

Laws Governing Biometrics

The United States does not currently have a federal privacy law enacted. As a result, the burden of establishing privacy rights for individuals and obligations for businesses falls on the shoulders of the states. As of late summer 2023, there were only three dedicated biometric privacy statutes in the United States: the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington Biometric Privacy Act (WBPA).

Under these laws, a “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. “Biometric information,” as defined in the Illinois law, means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.

Illinois Biometric Information Privacy Act

Of the three state laws, the BIPA is the only law with a private right of action. The Act provides that no private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure. A private entity in possession of biometric identifiers or biometric information must develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. A private entity in possession of a biometric identifier or biometric information shall (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

Texas Capture or Use of Biometric Identifier Act and Washington Biometric Privacy Act

Under the CUBI, a person who violates the law is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the penalty. The CUBI does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution. The WBPA provides a carveout for notice requirements under certain circumstances. Neither the CUBI nor the WBPA provides for a private right of action to be brought.

Consumer-Focused State Privacy Laws That Address Biometrics

Under the California Consumer Privacy Act of 2018 (CCPA), biometric data is considered one form of “personal information” subject to data subject access rights. Effective January 1, 2023, the California Privacy Rights Act (CPRA), which amends the CCPA, creates a subcategory of “sensitive personal information” that now includes the processing of biometric information for the purpose of uniquely identifying a consumer. Under the CPRA, consumers have a right to limit the use and disclosure of sensitive personal information to certain enumerated business purposes, such as helping to ensure data security and integrity, performing services on behalf of the business, or undertaking activities to verify and maintain or enhance the service or device owned or controlled by the business.

Trends in Biometric Litigation

Innovative technology in industries such as transportation and beauty has prompted new issues in connection with potential violations of biometric privacy laws.

Telematics in Transportation

The transportation and logistics industries have long been active users of telematics. Telematics is the monitoring of in-motion assets through the integration of the supply chain, communication, and technology. In many instances, dash cameras are installed in vehicles and, with the use of artificial intelligence (AI), can interpret objects on the road and inside the vehicle cab, including driver behaviors. Transportation companies leverage this tool to arm fleet managers against potentially fraudulent claims or increase awareness about risky driving. Although the use of video telematics is not a new concept in the transportation industry, it is the latter use of this technology that has been the focal point of recent litigation.

Virtual Try-on Technology

Digitalization facilitated the rapid transition to online commerce. Today, buyers can purchase a wide variety of products online, with many retailers adopting virtual try-on technology to close the gap between the in-person and virtual shopping experiences. In these instances, retailers leverage desktop or mobile cameras to allow a consumer to “try on” a product. Litigation has previously been filed where a retailer allegedly violated the BIPA when it allowed users to try on eyewear virtually but failed to (1) disclose that the try-on tool collects and stores a user’s facial geometries and (2) obtain users’ consent to collect their biometrics. How a retailer leverages the try-on technology may impact the analysis of whether a violation occurred.

Biometrics in Emerging Technologies

Biometrics and Artificial Intelligence

AI, broadly, is the simulation of human intelligence processes by machines, especially computer systems. AI developers use algorithms and statistical models to “train” the AI system to generate conclusions. This requires the ingestion of significant volumes of data collected from various sources and incorporated into the instruction of the AI system. As biometrics are most often used in identity authentication, companies are already developing ways to marry AI and biometrics in that regard.

Biometrics and the Metaverse

The term “metaverse” refers to a virtual world or a shared virtual space where physical and virtual realities converge and allow users to socialize, experience new forms of entertainment, and engage in commerce. Developers can create their own versions of this interactive and immersive technology environment in which users can engage virtually using devices such as virtual reality headsets. These headsets can capture and process massive amounts of biometric data, such as iris scans, pupil dilation, heart rate, and voice analysis.

Retail companies will likely be the most frequent entrants into the metaverse, leveraging the technology and virtual environment to interact with consumers and enhance their experience. How consumers interact with the virtual shopping experience may implicate various biometric modalities. Further, natural language recognition AI could be leveraged, and text or voice data could be used to train the AI system to develop more realistic customer interactions.

ABA Tort Trial and Insurance Practice Section

This article is an abridged and edited version of one that originally appeared on page 20 of The Brief, Spring 2023 (52:3).

For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.


About: TIPS is the only national professional group to unite plaintiff, defense, and insurance and corporate counsel to advance the civil justice system.

Periodicals: The Brief, quarterly magazine; Tort Trial & Insurance Practice Law Journal, quarterly electronic law review; TortSource, quarterly electronic newsletter; e-TIPS news, monthly electronic newsletter.

CLE and Other Programs: More than 15 CLE programs each year, plus numerous hot-topic webinars relevant to your practice area.

Recent Books: For a complete listing, visit TIPS Publications.

To Join TIPS Today: Please go to TIPS Memberships.

Download the PDF of this article

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Garylene (Gage) Javier

Garylene (Gage) Javier (CIPP/US) is an associate with Crowell & Moring based in Washington, D.C., where she counsels her clients in understanding, navigating, and responding to complex privacy and cybersecurity issues affecting multinational organizations; she also represents clients in technology-related litigation. She is a mayoral appointee to the District of Columbia Innovation and Technology Inclusion Council, vice-chair of the American Bar Association’s TIPS Cybersecurity and Data Privacy Subcommittee, and the 2022–2023 president of the National Filipino American Lawyers Association.