CHICAGO — An Illinois biometrics privacy law is paving the way for emerging legislation in several other states across the country, as more vendors deploy biometric technology in a variety of everyday applications, and as the courts continue to work out the potentially expensive implications of the law's mandates on business.
Biometric technology uses specific biological attributes to identify a person, including facial recognition, voiceprints, fingerprints and ocular scans. Fingerprint scanning on smart phones and ATMs, for instance, is becoming more commonplace.
Illinois' Biometric Information Privacy Act, enacted in 2008, established protocols businesses should adopt to protect this highly vulnerable and sensitive data from identity theft, because once compromised, it can be easily transferred, stored and reused, indefinitely.
“BIPA has been around for a few years and has been interpreted by several jurisdictions, including here in the Northern District of Illinois,” Julie Kadish, a privacy and data security attorney at Foley & Lardner, told the Cook County Record. “States may be looking to Illinois as a model because (recent) court decisions may help provide some level of certainty and guidance as to how courts will interpret key provisions in the statute.”
In 2016, a Cook County judge signed off on a $1.5 million settlement to end a class action lawsuit against tanning studio vendor, L.A. Tan, a first for Illinois’ BIPA because L.A. Tan had not obtained expressed consent from clients to collect their biometric information - in this case, their fingerprints, which customers used as an ID to access the tanning studios. Other recent BIPA-related litigation includes actions against Google, Facebook and Snapchat.
Five states are also currently evaluating amendments to their biometric laws. California, however, doesn’t yet have a biometric statute.
“Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action,” Kadish said. “Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general.”
As biometric identifiers are more frequently utilized, states are steadily playing catch-up with technology, Kadish said. However, privacy advocates and consumers alike want to know how their information is collected, used and stored. Since there are little in the way of federal laws, state-driven initiatives are leading the way. She said Illinois has introduced three other privacy bills since January.
“Businesses need to ensure that they are collecting the information lawfully by using appropriate notice and consent mechanisms,” Kadish said. “(From) appropriate security procedures (to) being mindful of retention and disposal requirements, companies should adopt a 'privacy by design' approach and consider the implications of collecting and using biometric information in the initial phases of creating a product or service.”
Further, because BIPA allows for a private cause of action, they should include this in their risk management analysis, she said.
“It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. “For example, several states (including Illinois) have amended their state data breach notification laws in recent years to include biometric information in the definition of 'personally identifiable information.'"