Biometric identifiers are quickly becoming the basis of a diverse array of highly secure identification and authentication technologies that people and businesses utilize daily. Unlike passwords and personal identification numbers, biometric identifiers are immutable. Their use therefore necessitates that security and privacy mechanisms be sufficiently put in place to protect against loss of privacy when these biometric identifiers are used in both ubiquitous and emerging technologies. States have enacted biometric privacy laws to ensure these protections, impart privacy rights to individuals, and place specific obligations on businesses with regard to this data.
September 05, 2023 Feature
Regulating and Litigating Biometric Privacy Rights
Garylene (Gage) Javier
This article explores the current biometric landscape and discusses some of the key matters associated with litigating biometric privacy issues. It also briefly discusses the potential use of biometrics in emerging technologies such as artificial intelligence (AI) and the metaverse.
Trends in the Use of Biometric Information
The most common uses of biometric technology include timekeeping, smartphone security, border security, national identification, banking, workforce management, laptop security, airport security, law enforcement investigations, banking, home assistants, and building access.
According to a March 2022 research report by MarketsandMarketsTM, the global biometric system market size is expected to grow from $42.9 billion in 2022 to $82.9 billion by 2027. The report details that increasing advancements in biometric technology across various sectors and rising demand for authentication and identification solutions as well as security and surveillance solutions in various application areas are the primary factors driving the market growth. The growing adoption of biometric systems in consumer electronics, automotive verticals, banking, financial services, and insurance will further drive the demand for this technology in the near future.
Certainly, awareness of consumer rights and regulatory compliance requirements will inherently become more important as technology evolves and biometric mechanisms are incorporated in the expansion of biometric-based developments.
Laws Governing Biometrics
The United States does not currently have a federal privacy law enacted, unlike the European Union and its General Data Protection Regulation. As a result, the burden of establishing privacy rights for individuals and obligations on businesses falls squarely on the shoulders of the states. This includes providing guidance on the collection, use, and processing of biometric data.
As of the date of this publication, there are only three dedicated biometric privacy statutes in the United States: the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington Biometric Privacy Act (WBPA). Notably, as discussed below in more detail, of the three statutes, only Illinois’s BIPA includes a private right of action. There are, however, several other consumer privacy statutes that address biometrics.
Defining “biometrics.” Under these laws, a “biometric identifier” is defined as a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. In Washington State, a biometric identifier does not include a physical or digital photograph; video or audio recording or data generated therefrom; or information collected, used, or stored for health-care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). “Biometric information,” as defined in the Illinois law, means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of “biometric identifiers.”
Illinois Biometric Information Privacy Act. Of the three state biometric privacy laws, the BIPA is considered the most robust of the laws primarily because it is the only law with a private right of action and has been the foundation of a significant volume of biometric litigation. The BIPA has several key elements:
Notice and consent requirements. No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless the subject of the biometric identifier or biometric information or the subject’s legally authorized representative consents to the disclosure or redisclosure. An electronic written release is acceptable before collecting the data.
Retention and destruction requirements. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information. Destruction of such information is required when the initial purpose for collecting or obtaining such identifiers or information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever comes first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
Disclosure and sale restrictions. No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.
Security requirements. A private entity in possession of a biometric identifier or biometric information shall (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity’s industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Private right of action. Any person aggrieved may recuperate “for each violation” liquidated damages of $1,000 or actual damages (whichever is greater) for negligent violations. They may also recuperate liquidated damages of up to $5,000 or actual damages (whichever is greater) for intentional or reckless violations. Plaintiffs may also recover reasonable attorney fees and costs (including expert witness fees and other litigation expenses) and seek other relief available (including injunction).
Statute of limitations. Recently, the Illinois Supreme Court in Tims v. Black Horse Carriers, Inc. established that all BIPA claims now have a five-year statute of limitations.
Accrual. The Illinois Supreme Court in Cothron v. White Castle System, Inc. held that a separate claim under the BIPA accrues each time an entity scans or transmits an individual’s biometric identifier or biometric information.
Texas Capture or Use of Biometric Identifier Law and Washington Biometric Privacy Act. Under the CUBI, a person who violates the law is subject to a civil penalty of not more than $25,000 for each violation. The attorney general may bring an action to recover the civil penalty. The CUBI does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution. The law is silent as to the number of penalties that can be imposed.
The WBPA provides a carveout for notice requirements under certain circumstances. For example, the WBPA does not require an entity to provide notice and obtain consent to collect, capture, or enroll a biometric identifier and store it in a biometric system, or otherwise, in furtherance of a security purpose.
Neither the CUBI nor the WBPA provides for a private right of action to be brought in the event of a violation of the statute. As a result, only state attorneys general may enforce the biometric privacy laws in those jurisdictions. Last year, the Texas attorney general brought the first case of its kind under the CUBI against Google.
Consumer-focused state privacy laws that address biometrics. Under the California Consumer Privacy Act of 2018 (CCPA), biometric data is considered one form of “personal information” subject to data subject access rights. Effective January 1, 2023, the California Privacy Rights Act (CPRA), which amends the CCPA, created a subcategory of “sensitive personal information” that now includes the processing of biometric information for the purpose of uniquely identifying a consumer. Under the CPRA, consumers have a right to limit processing to certain activities. Specifically, consumers have a right to limit use and disclosure of sensitive personal information to certain enumerated business purposes, like helping to ensure data security and integrity, nonpersonalized advertising, performing services on behalf of the business, or undertaking activities to verify and maintain or enhance the service or device owned or controlled by the business. The covered entity is required to provide a link on its website allowing customers to limit such disclosure.
While other states may not have dedicated biometric privacy laws, their consumer or privacy laws generally account for biometric information in certain instances. For example, states such as Connecticut, Iowa, Nebraska, North Carolina, Wisconsin, and Wyoming require data breach notifications when a data breach involves personal information, including biometric data.
Trends in Biometric Litigation
Innovative technology in industries such as transportation and beauty has prompted new issues in connection with potential violations of biometric privacy laws.
Telematics in transportation. The transportation and logistics industries have long been active users of telematics. Telematics is the monitoring of in-motion assets through the integration of the supply chain, communication, and technology.
In many instances, dash cameras are installed in vehicles and, with the use of AI, can interpret objects on the road and inside the vehicle cab, including driver behaviors. Transportation companies leverage this tool to arm fleet managers against potentially fraudulent claims or increase awareness about risky driving, including collisions and other road incidents. While the use of video telematics is not a new concept in the transportation industry, it is the latter use of this technology that has been the focal point of recent litigation.
In Arendt v. Netradyne, Inc. and Hernandez v. Omnitracs, LLC, the driver-plaintiffs have alleged violations of the BIPA when multiuse camera hardware devices were installed in a fleet of trucks. In both cases, the complaints allege that the camera collected biometric information by scanning a driver’s facial geometry. In combination with AI, this served as a tool to monitor driver behaviors. For example, the system allowed companies to assess driver awareness by reviewing whether a driver’s eyes were closed or looking down. Plaintiffs allege that notice was not properly given related to the collection, purpose, and retention of their biometric information, and express written consent to permit collection of biometrics was not obtained.
The matters are in their early stages, but if the courts find that the defendants did violate the BIPA, this may send a strong signal for transportation and logistics companies to ensure that their notice, collection, and retention policies are compliant with the BIPA and other applicable privacy laws.
Virtual try-on technology. Digitalization facilitated the rapid transition to online commerce. Today, buyers can purchase a wide variety of products online, with many retailers adopting virtual try-on technology to close the gap between the in-person and virtual shopping experiences. In these instances, retailers leverage desktop or mobile cameras in order for a consumer to “try on” a product. Retailers selling eyewear and cosmetics are among those who leverage virtual try-ons to support consumer online shopping.
Litigation has previously been filed where a retailer allegedly violated the BIPA when it allowed users to try on eyewear virtually but failed to (1) disclose that the try-on tool collects and stores a user’s facial geometries and (2) obtain users’ consent to collect their biometrics. This raises interesting issues related to the function of the try-on tool itself.
When consumers use a retailer’s virtual try-on feature, they have the option to either upload a photo or use a camera on their mobile or desktop device. The try-on tool then overlays the image of the product to provide a visual depiction of the product on the user to emulate an in-person shopping experience. Some try-on programs simply scan the face, recognize the key points of facial geometry, and superimpose content onto it. How a retailer leverages the try-on technology may impact the analysis of whether a violation occurred. The facial geometries and subsequent facial images may be collected and saved on the retailer’s server, saved on the consumer’s device only, or not saved at all. An important component of the analysis will turn on whether the company collects facial data at all based on the processing of facial data. Collecting and storing information on company servers may indeed violate the BIPA if the retailer fails to provide the consumer with the appropriate disclosures at the onset of the try-on tool use.
Voice recognition technology. Convenience and efficiency are often the drivers leading to adoption of a variety of different technologies. For many businesses, this takes the form of voice recognition technology, whereby sounds and patterns in human speech are converted into commands or text that are understood by a computer system for execution. In some instances, voice data is also used for authenticating the identity of a user. Voice markers are noted and captured and then associated with a profile for an individual. However, unless the person has been given notice of the collection of their voice data, this poses an inherent risk to the organization, as seen in recent litigation.
One example is in the use of automated voice ordering (AVO) systems. The issue stems from instances where customers call in orders and voiceprints are captured and processed to more readily recognize customers for future interactions (e.g., retrieving order history or recognizing customers to verify orders). In Guy-Powell v. Applebee’s Restaurants LLC, the plaintiffs allege that Applebee’s created voiceprints through their AVO systems without notice or consent, thereby violating biometric privacy rights. This recent class action lawsuit, which is still pending, demonstrates that transparency in the use of biometric technologies is an important aspect of mitigating risk and building consumer trust.
Biometrics in Emerging Technologies
As technologies such as the metaverse and AI develop further, biometrics could play an important role in how consumers interact with these advancements.
Biometrics and artificial intelligence. AI, broadly, is the simulation of human intelligence processes by machines, especially computer systems. AI developers use algorithms and statistical models to “train” the AI system to generate conclusions. This requires the ingestion of significant volumes of data collected from various sources and incorporated into the instruction of the AI system. The “training” results in the ability of AI to execute tasks such as recognizing images, understanding natural language, making decisions, and playing games.
As biometrics are most often used in identity authentication, companies are already developing ways to marry AI and biometrics in that regard. Most recently, the U.S. Patent and Trademark Office issued a notice of allowance to Trust Stamp for its application related to AI-based biometric authentication technology. The technology “replaces the storage and use of biometric templates with an irreversibly transformed identity token (IT)2 generated by a neural network. The AI processes used include image segmentation utilizing deep learning.” The use of AI “allows Trust Stamp to provide users with the benefits of biometric-derived authentication without losing control of or sharing their original biometric data.”
In Scotland, the Independent Advisory Group on Emerging Technologies in Policing (ETIAG) issued a report advocating specific and binding rules for biometrics and AI in policing. The report noted that there are concerns regarding “automated decision-making and the use of AI in predictive policing, which can lead to increased bias and discrimination. Live facial recognition also raises human rights issues and has the potential to be discriminatory.” The report advises that “[a]n ethical and legal assessment framework based on equality and human rights is necessary to reduce risks to public trust and discrimination.”
As evidenced by these examples, biometrics and AI are already at the forefront of how companies and governments are leveraging these advancements to enhance operations.
Biometrics and the metaverse. The “metaverse” is not one place. Rather, the term refers to a virtual world or a shared virtual space where physical and virtual realities converge and allow users to, among other things, socialize, experience new forms of entertainment, and engage in commerce. Developers can create their own versions of this interactive and immersive technology environment in which users can engage virtually using devices such as virtual reality (VR) headsets. These headsets can capture and process massive amounts of biometric data, such as iris scans, pupil dilation, heart rate, and voice analysis.
Retail companies will likely be the most frequent entrants into the metaverse, leveraging the technology and virtual environment to interact with consumers and enhance their experience. Trust between consumers and retailers will inevitably be required to maintain relationships, particularly in terms of data and privacy. How consumers interact with the virtual shopping experience may implicate various biometric modalities. Further, natural language recognition AI could be leveraged, and text or voice data could be used to train the AI system to develop more realistic customer interactions.
The metaverse still has a long way to go in terms of widespread adoption by various organizations, but biometrics will be—and to some degree already is—an important driver of unique user engagement in the virtual environment.
Conclusion
Biometric technologies will be leveraged in many unique ways in the future. What has taken place until now is just the start of something that will grow exponentially. Organizations giving thought to wading into the waters right now need to be aware of the current and emerging risks—and, in doing so, should consider several issues to ensure that adoption is appropriate for their objectives, including the following:
- What safeguards will be in place to protect biometric information
- Whether the appropriate disclosures are made to individuals, along with processes to obtain the appropriate consents for collection and use
- Whether policies and procedures are in place to protect biometric data and whether these measures are communicated effectively to stakeholders
- Whether the appropriate infrastructure is in place to support the implementation of biometric systems
- Whether the organization has cybersecurity insurance in the event that a security incident occurs
These initial considerations can help organizations mitigate risk and evaluate their level of compliance with state biometric privacy laws. Moving forward, these considerations will likely prove critical to risk management with regard to the use of biometric information as the uses of such information expand dynamically in the years ahead.