Dozens of employers have been caught off guard by the rash of class-action lawsuits recently filed in Illinois alleging violations of Illinois’s Biometric Information Privacy Act (BIPA). But while Illinois was the first, it is no longer the only state restricting private entities’ use of biometrics. Other states have enacted or are considering similar legislation. Any company using biometric information for employees or customers should take steps to ensure their compliance with other states’ statutes and closely monitor legislative efforts in states where they operate.
Illinois potentially creates a plaintiffs’ bonanza with statutory damages.
BIPA restricts how a private entity can collect, store, and use biometric information, as defined by the statute. A company collecting or using such information in Illinois must first create and publish a written retention policy, provide certain disclosures to people whose biometrics will be collected, and obtain a written release from any such person. BIPA prohibits companies from selling biometric information and restricts how such information can be transmitted and stored.
Most troubling, BIPA allows individuals to sue for alleged violations, potentially even without any damages. The statute allows a “person aggrieved” by a violation to sue for either actual damages, or for “liquidated damages” of $1,000 (for a negligent violation) or $5,000 (for an intentional violation), plus attorneys’ fees and an injunction against future violations. 740 ILCS 14/20. The liquidated damages and the attorneys’ fees provisions have made companies operating in Illinois prime targets for class-action litigation. More than two dozen such cases have been filed in the last three months, almost all alleging employers used a fingerprint-based timeclock without providing notice to and obtaining consent from employees.
BIPA-Lite: Three other states have enacted less onerous biometric statutes.
Texas enacted its biometric privacy statute in 2009. Tex. Bus. & Com. Code Ann. § 503.001. The Texas statute contains similar restrictions as BIPA in Illinois: both apply to the same kinds of biometric information; both require notice and consent (though Texas does not require a written release); both prohibit selling biometric information; and both restrict how such information is stored. Id. at § 503.001(a), (b), (c). Texas requires faster destruction of biometric information; both require the information to be destroyed when the information is no longer needed, but Texas caps that period at one year while Illinois imposes a three-year cap. Compare id. at § 503.001(c)(3) with 740 ILCS 14/15(a). The Texas statute is less threatening than Illinois’s BIPA because there is no private right of action; only the attorney general can sue to enforce the Texas statute, and can seek up to $25,000 per violation. § 503.001(d).
Washington’s biometric legislation became effective July 23, 2017. Wash. Rev. Code Ann. § 19.375, et seq. The statute defines biometric information more broadly as any “data generated by automatic measurements of an individual’s biological characteristics,” whereas the Texas and Illinois statutes limit the definition to certain specified measurements. Wash. Rev. Code Ann. § 19.375, et seq. The Washington statute requires various forms of notice and consent before capturing and storing biometric information, depending on the context. § 19.375.010(3), (5), § 19.375.020(1)-(2). Unlike in Texas and Illinois, a company may sell biometric information with consent or under certain limited circumstances. § 19.375.020(3). Washington also restricts how a company transmits or stores biometric information. § 19.375.020(4). Like Texas’s statute, Washington’s provides no private right of action; only the attorney general may enforce the statute.
Finally, Utah’s statute restricts the use of biometric information, but only in colleges and other schools, and provides a private right of action, but limits liability to third-party contractors that knowingly or recklessly permit unauthorized disclosure of students’ biometrics. Utah Code Ann. §§ 53A-1-1411.
Next up: a handful of states are considering similar biometrics legislation.
Bills related to biometric information have been introduced in New Hampshire, Massachusetts, Alaska, Michigan, and Pennsylvania. New Hampshire introduced a bill (HB 523) that originally appeared similar to BIPA but an amendment punted on actual regulations, opting instead to appoint a committee “to study the use and regulation of biometric information” and report back by November 1, 2018. HB 523 is currently sitting in committee and will carry over to the 2018 session.
A Massachusetts bill (H.1985) would amend existing laws to require the state’s Department of Consumer Affairs to adopt regulations to protect biometric information, which is broadly defined as “any unique biological attribute or measurement that can be used to authenticate the identity of an individual….” These existing privacy laws and regulations require the establishment of appropriate safeguards to protect a person’s personal information and to provide notice in the event of a breach. Mass. Gen. Laws ch. 93H, § 3; 201 Mass. Code Regs. 17.03. There is no current private right of action under those laws; only the state’s attorney general has enforcement powers. Mass. Gen. Laws ch. 93H, § 6 (2012). H.1985 is currently sitting in committee and will carry over to 2018.
Alaska’s HB 72, like BIPA, prohibits the collection of biometric data without notice and documented consent. Unlike BIPA, HB 72’s definition of biometric information is not a narrowly-defined, exclusive list, but includes “other physical characteristics of an individual.” HB 72 also grants a private right of action for an intentional, but not negligent or reckless, violation. HB 72 would allow for statutory damages of $1,000 per violation, but, if the defendant’s violation resulted in a profit or monetary gain, statutory damages are $5,000 per violation. HB 72 is currently sitting in committee and will be carried over into the 2018 regular session.
Michigan lawmakers introduced a bill (HB 5019) in 2017 substantially similar to BIPA. The bill uses definitions of biometric information nearly identical to BIPA’s definitions. Also like BIPA, HB 5019: (1) requires a retention schedule and destruction guidelines; (2) requires notice and written consent before collecting biometrics; (3) prohibits selling biometrics; and (4) restricts transmission and storage of biometrics. The Michigan statute would permit a private right of action and permits damages similar to BIPA’s. The statute is sitting in committee and will carry over to 2018.
Finally, Pennsylvania introduced a bill in 2017 (H.B. 1345) that is similar to BIPA but protects only students’ biometrics. No specific notice or consent procedures are required before collecting a student’s information, but the statute only allows “essential” data to be collected. H.B. 1345 imposes liability on any “educational entity”—such as a school, district, or board—as well as third parties, if they fail to comply with these requirements and that failure leads to a data breach. H.B. 1345 is sitting in committee and will carry over to 2018.
Not so fast: some states have had difficulty passing their proposed biometrics legislation.
Proposed biometric privacy bills in Connecticut (H.B. 5522 (2017); H.B. 5326 (2016)) and Montana (H.B. 518) were recently introduced but died and will not move forward. Nor will the recent bills related to protecting students’ biometrics introduced in Arizona (SB 1373) and Missouri (HB 201). Iowa’s student biometrics bill (HB 48) did not pass in 2017 and its future remains uncertain; the bill was indefinitely postponed on April 4, 2017.
Given the prevalence of biometric technology, and the very specific restrictions and the onerous potential damages of biometric laws, companies in all industries are advised to be aware of legislative developments in any states where they operate.