State lawmakers evoking Big Brother and surveillance dystopias are pushing new requirements for how companies treat peoples’ unique characteristics such as fingerprints and facial scans—potentially expanding litigation risks for businesses that collect such biometric information.
Bills in nine states aim to protect biometric information broadly and let individuals sue over violations, such as a company collecting those identifiers without their consent. Democrats and Republicans have each offered proposals, signaling that the topic resonates on both sides of the partisan divide over the increasing reach of technology into peoples’ lives.
The legislative activity follows growing class action litigation and high-dollar settlements by companies including Facebook and TikTok that stem from a 2008 biometric privacy law in Illinois, the first state to enact such a measure and the only one to include a private right of action. The proposals reflect growing discomfort over voice and facial recognition technologies and a realization that immutable information as an iris measurement or face geometry should be protected, privacy advocates said.
“It is sacred. It’s static. You cannot change it,” said Gary Klinger, a Chicago-based partner with Milberg Coleman Bryson Phillips Grossman and chair of the cybersecurity and data privacy practice who’s represented plaintiffs in class-action biometric settlements.
Tech company lobbyists mounted opposition to Illinois-style bills Feb. 6 at a legislative committee hearing in Arizona, where state lawmakers tentatively approved a Republican-sponsored biometric measure (S.B. 1238) but said it would need changes before advancing. Representatives from such groups as TechNet, NetChoice, and Chamber of Progress—whose members include the country’s biggest tech companies—told Arizona’s lawmakers that a torrent of class-action lawsuits under the Illinois Biometric Information Privacy Act, or BIPA, has been untenable for businesses and harmed consumer access to technology.
“This has been the most abused piece of legislation in modern history,” said Carl Szabo, vice president and general counsel of NetChoice.
Privacy and Protection
The broad biometric proposals vary by state but would generally require companies, with some exceptions, to let people know when their biometrics are being collected, secure consent, and lay out policies for how the information is kept and destroyed. Legislators in other states have proposed narrower mandates or included the category in overarching consumer privacy bills.
States have failed in recent years to approve biometric privacy proposals that let individuals sue companies, and a Mississippi proposal already died in committee in January. This year’s efforts, though, could be a tipping point as people realize that tech companies policing themselves isn’t a good option, said Chad Marlow, senior policy counsel for American Civil Liberties Union, which has released a model bill on biometric privacy based on the Illinois law with several adjustments.
High-profile settlements resulting from the Illinois private right of action show the law is more effective at protecting biometric information than those enforced just by attorneys general in Texas and Washington, Marlow said. Statehouses that pursue individuals’ ability to sue recognizes that US consumers are underdogs and have few options compared to big tech companies, said Massachusetts state Rep. Dylan Fernandes (D), who is sponsoring a biometric privacy bill in his legislature (H.D. 3053).
“I think it’s just trying to level the playing field,” Fernandes said.
In New York, a bill (A. 1362) modeled on the Illinois language aims to protect peoples’ identities in an environment where “Big Brother is watching us,” sponsor Assemblywoman Aileen Gunther (D) said. The bill failed to advance in previous sessions, but consumers are becoming more aware of how companies are using their data, she said.
“We need privacy and we need protection,” Gunther said.
The bills, if enacted, could leave companies navigating a range of state-specific biometric requirements in addition to new consumer privacy laws. Consumers are “rightfully concerned about the proper safeguarding of their biometric data,” but lawmakers should consider the burden on companies to comply, said Khara Boender, state policy director of the Computer and Communications Industry Association, whose members include Google, Apple, and Amazon.
The association also recommends state laws leave enforcement to attorneys generals “to avoid bad faith and costly litigation,” Boender said in a statement.
The Illinois law is ripe for class action litigation with the potential for significant penalties—and some companies that have faced suits were unaware of its specific requirements, said Dmitry Shifrin, shareholder at Polsinelli PC in Chicago. The impacts have spanned industries and affected both small and large businesses with cases targeting biometrics collected from employees as well as consumers.
“It’s impacting everybody across the board,” Shifrin said.
Even slight variations in other state statutes would require companies to reevaluate their compliance programs, said Molly McGinley, partner at Honigman LLP in Chicago. Companies should consider whether it’s worth the potential risk to collect biometric data, she said.
When the use is a necessity for businesses, “the important thing is they’re staying abreast of these developments,” McGinley said. State lawmakers should also consider balancing the benefits of using biometric information against the risks when considering legislation, she said.
“It’s an ever-evolving space,” McGinley said.
To contact the reporter on this story:
To contact the editors responsible for this story: