The National Biometric Information Privacy Act of 2020 (National BIPA), introduced Aug. 3 by Sens. Bernie Sanders (D-Vt.) and Jeff Merkley (D-Ore.), draws influence from the Illinois BIPA, the first of its kind when enacted in 2008. Since then, Texas, New York, California, Washington, and Arkansas have passed their own biometric privacy laws.
Introduction of the National BIPA comes as recent high-profile (and high-priced) biometric privacy lawsuits under the Illinois law have gained national attention. Most notably, a California federal judge recently approved a $650 million settlement between a class of Illinois residents suing Facebook. TikTok was also hit with a lawsuit for allegedly collecting face scans of minors, which may render another costly outcome.
But most BIPA cases are not of this caliber.
Smaller BIPA cases are filed throughout the country on a daily basis. Based on Gordon & Rees’ internal monitoring, state-law claims for biometric privacy violations are nearing the frequency levels of the “cottage industry” lawsuits, often filed for trivial violations of federal laws and their state-law counterparts.
Should the National BIPA be passed into law, those who handle litigation under similar statutory schemes like the Fair Debt Collection Act, the Fair Credit Reporting Act, and the Telephone Consumer Protection Act, may be faced with a new instrument to combat in the arsenal that is the high-volume consumer litigation industry.
Biometric Privacy Laws Generally
The crux of biometric privacy laws is to prevent private entities from collecting biometric information without disclosure and consent. Biometric information is collected data derived from biometric identifiers. Most commonly litigated identifiers are fingerprints, eye scans, voiceprints, and faceprints.
Under the Illinois and National BIPA laws, no private entity may collect biometric information from any person without a written release. If lawfully collected, that information may not be sold, traded, or otherwise transferred. Companies must also develop a policy for timely destruction of an individual’s biometric information once the company’s purpose for the information or interaction with the person has ended.
The Illinois BIPA and the proposed federal law both contain “fee-shifting” provisions. Such statutory language allows the prevailing party to recover attorneys’ fees and costs, which is the driving force behind this cottage industry litigation under the abovementioned federal statutes. This coupled with statutory damages ($1,000 for each negligent violation; $5,000 for each intentional violation) will pave way for a massive influx of new cases under a National BIPA.
Compliance and Defense
It is incumbent upon companies, and their in-house and outside counsel, to develop policies and procedures to combat this new wave of litigation through proper disclosure, collection, and destruction of biometric data.
With the growing presence of technology in the workplace, even businesses outside of the technology industry may need to evaluate their internal practices.
A common claim under the Illinois BIPA is against employers who collect biometric information as part of employee time-tracking procedure. Loews Hotels recently reached a $1.1 million settlement with a class of employees alleging that the hotel chain unlawfully collected their fingerprints as part of their time-tracking practices.
The Trump hotel chain was hit with an identical lawsuit in August. Similar lawsuits have been filed by employees of Aldi, Regal Cinemas, White Castle, Little Caesars, and Corner Bakery, to name a few.
Unlike similar statutory schemes under the FDCPA, FCRA, TCPA and the like, businesses may choose to avoid BIPA liability altogether by opting out of biometric data collection. Others who see the benefit of biometric identification, or whose consumers have come to expect the ease of use associated with biometric identification, will be exposed to the nation’s most persistent plaintiffs’ attorneys.
In response, businesses will continue to fill the gaps in their contractual provisions, further insulating them from any liability. The unfortunate, but likely inevitable, result of this endless cat and mouse game will be a continued erosion of choices for consumers and employees who will be forced to consent to the collection of biometric information as a precondition to participation in products, services, and employment.
While this Inisight has focused mainly on the influx and obstacles defendants to the National BIPA may face, this is not to say the proposed law is without merit. Our society continues to see exponential increases of privacy intrusions during the Orwellian reality we live in.
These intrusions are evidenced by the claims against tech giants like Facebook as well as the uncovering of our government’s intricate surveillance systems (a separate bill recently introduced by Sen. Edward Markey (D-Mass.) and Rep. Pramila Jayapal (D-Wash.) seeks to combat governmental biometric privacy violations; the National BIPA specifically precludes state actors).
From a policy standpoint, we need measures to keep our individuality and privacy secure. The purpose is noble, but the remedies of the National BIPA lend themselves well to an opportunistic plaintiffs’ bar that may not always have consumer privacy front of mind.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Avanti Bakane is a partner in the Chicago office of Gordon & Rees and is a member of the Commercial Litigation, Consumer Protection Litigation, and Cannabis Law practice groups. As a Certified Information Privacy Professional (CIPP) and co-chair of the firm’s Privacy, Data & Cybersecurity group, she represents businesses and professionals in software and e-commerce development, data privacy, data loss, licensing, and copyright infringement disputes.
Richard E. Daniels is a recent graduate of Loyola University Chicago School of Law and an incoming associate in the Chicago office of Gordon & Rees.
Benjamin R. Kinney is an associate in the Chicago office of Gordon & Rees and is a member of the Commercial Litigation, Consumer Protection Litigation, Privacy, Data & Cybersecurity, and Cannabis Law practice groups.