Business Litigation Report - June 2019

The Rise of Biometrics Laws and Litigation -

In recent years, there has been a significant rise in litigation, as well as legislation, concerning the use and collection of biometric data. Biometrics refers to the process of detecting and recording a person’s unique physiological characteristics such as a person’s fingerprints, iris pattern, face or voice, usually for identification and access control. Since biometric identifiers are unique to individuals and do not change with age, they are more reliable in verifying identity than token and knowledge-based methods, such as identity cards and passwords. The collection of biometric identifiers, however, raises privacy concerns about the ultimate use of this information, especially as an individual’s biometric identifiers cannot be changed if compromised.

Several states have narrow biometric privacy laws, constraining collection of biometric data from K-12 students, or prohibiting state agencies from using biometric data in connection with ID cards, as examples. Currently, only three states (Illinois, Texas, and Washington) have comprehensive biometric privacy laws in place, with a fourth (California) set to go into effect on January 1, 2020. The first comprehensive legislation, Illinois’s Biometric Information Privacy Act (“BIPA”), has been in effect since October 2008, but litigation under the statute began in earnest only recently in 2015, when several high profile suits were brought against social media websites. In just the past two years, over 200 class action complaints have been filed under the statute, vaulting BIPA into the spotlight as one of the hottest class action trends. (Although the biometric privacy laws of Texas and Washington are based on BIPA, both lack BIPA’s private right of action. See Tex. Bus. & Com. Code § 503.001; RCW 19.375 et seq.)