Identity verification and protection in a growing digital world is a complex issue with a variety of solutions to consider. Biometric data collection as a streamlined solution has surged in recent years, especially across the U.S.
But what happens when data privacy protection and individual consent get left out in such biometric rollouts?
That's where the Illinois Biometric Information Privacy Act has thrived since its passage in 2008. And the law that produced the largest cash settlement ever resolving a privacy-related lawsuit — a USD650 million settlement with Facebook in March 2021 via claims under the law's private right of action — is only getting stronger.
Recent cases before the Supreme Court of Illinois padding BIPA litigation sounded alarms around the privacy community. In the case of Tims v. Black Horse, the court determined BIPA claims have a 5-year statute of limitations. That decision was followed by Cothron v. White Castle, which found separate BIPA claims accrue for every biometric scan taken from an individual.
"The cases show the significance of potential damages under BIPA. For instance, White Castle may owe up to USD17 billion in damages if the current decision stands." Future of Privacy Forum senior counsel for U.S. legislation and biometrics Tatiana Rice, CIPP/US, said. "In addition, these decisions demonstrate the importance of BIPA compliance at the first deployment of any biometric technologies."
The BIPA was originally passed as an accountability measure against Chicago-based financial institutions deploying biometrics for consumer verification and protection tied to financial accounts. The law's growing application and the consumer redress successes since 2008 are spurring a legislative wave in 2023, as more states seriously consider their own BIPA proposals.
The decisions
The recent decisions from Illinois' highest court strengthen, and will likely increase, the volume of consumer claims.
The determination that claims can accrue on a per-scan basis will prove most costly. Regardless of whether the same individual has the exact same scan collected time after time, a company is now liable if privacy and consent practices are not sufficient or tuned to the BIPA standards.
Pending liability stemming from the decision makes a given company's insurance coverage that much more important moving forward.
"These two decisions also serve as a reminder for policyholders to make sure they have adequate insurance coverage that provides coverage for their biometric information collection practices — be it under commercial general liability policies, employment practices liability policies, director and officers insurance policies, or stand-alone cyber insurance policies," Buchanan Ingersoll & Rooney associate Kyle Black, CIPP/E, CIPP/US, CIPM, said. "Otherwise, a company could be left paying the cost of litigation or any settlement or judgment out of pocket."
The change to the statute of limitations will certainly add to the uptick in claims, but it places more urgency on getting into compliance. FPF's Rice noted the White Castle case shows an instance of BIPA noncompliance "upon first deployment of any biometric technology and do not consider ongoing biometric compliance efforts" as White Castle came into full compliance in 2018.
The timeframe extension itself won't drastically change the way consumers approach claims, according to American Civil Liberties Union senior policy counsel Chad Marlow.
"I think the statute of limitations has to just be viewed for what it is. It is a rule that attempts to balance the need for people to receive justice with a rule that wants to make sure there's not a spoilage, witnesses disappearing or that sort of thing," he said. "So to me, a five-year statute of limitations isn't an unreasonable period of time. Neither is four years or six years. So at the end of the day, it's probably not hugely consequential in the big picture."
All risk, no reward?
Recent developments beg the very basic question of why an organization would roll out biometric programs in the face of potential litigation. Reliability, simplicity and cost-effectiveness could be among the common answers depending on the deployment, but what's the advantage?
There is a line of thinking that supports biometric access and verification as an added layer of security. Some companies may associate safety and trust with permitting access to goods and services through nonduplicative personal identifiers that can not be easily compromised compared to password or credential access.
"Biometric scanning can help confirm you are indeed the person requesting money be wired to some account," Black said. "Using biometric identifiers can help make sure sensitive or confidential information — be it company trade secrets or individual medical information — are not accessed by unauthorized individuals."
Black added the ultimate goal is convenience for all parties involved. But generally, biometric rollouts without proper privacy and consent implementation that fall victim to BIPA claims can lead to head scratching.
Potential malintent and noncompliance were not top of mind with organizations' initial biometric deployments because the first interpretations of the law left a number of practices out of the BIPA's scope.
"Many companies were told when they rolled out the technology that it was not covered by BIPA and had no reason to believe otherwise. Just because something bears the label 'biometric' does not mean it is regulated by the statute," Lewis Brisbois Partner Mary Smigielski said. "Now, we are seeing a multitude of arguments about what the language in BIPA actually means, which shows the ambiguity in the statute and how companies were acting in good faith when they implemented the technology."
A leading example of risks stemming from legal ambiguity are biometrics in the employment context. Businesses that formerly used timecards or employee pins are moving to fingerprint or other biometric scans to clock in and out. There's also the use of facial recognition technology to monitor on-the-clock productivity.
"If I'm wearing my skeptical hat, biometrics are also probably a way for companies to collect more personal information and leverage to accumulate money or power in ways that exploit people," Boston University School of Law professor Woodrow Hartzog said. "For example, biometrics give employers the promise of tracking every place employees go, how long they take bathroom breaks and every facial expression they make. They are the perfect tool for organizations and governments that want to control other people."
Unorthodox deployments are likely to produce litigation that may blindside companies.
"Some unique cases that could produce 'gotcha' litigation are cases interpreting what is a 'biometric identifier,'" Black said. The term is included under biometric privacy laws in Texas and Washington state, but the Illinois definition is broader to pull claims under. "BIPA defines biometric identifier to mean, among other things, a 'scan of hand or face geometry.' But what constitutes a scan of hand geometry? What constitutes a scan of face geometry?"
State biometric patchwork
Rice has been extensively tracking a state-level biometric proposals across 2023 U.S. state legislative sessions, finding 22 biometric privacy or facial recognition bills. She said approximately half of those states considered proposals modeled after Illinois' BIPA, but only two bills cleared a legislative committee.
Many of the BIPA lookalikes stem from the ACLU's model framework, which takes a majority of Illinois' statute while amending certain areas. Marlow led the initiative, saying he hopes to get 20% of states to consider the bill ahead of 2023 legislative sessions.
With most state legislatures currently in the middle of their sessions, Marlow said uptake surpassed the ACLU's expectations.
"I would say we were a bit surprised about the traction," Marlow said, noting the initial success their model had in Kentucky. "When you're dealing with things like privacy and technology, there's a learning curve. It's very rare that when one of these bills gets introduced, it passes that first year. That first year is often education, question asking and the legislators rightly doing their due diligence."
Marlow indicated the proposal "is not meant to be transformative." The key differences or perceived improvements on Illinois' BIPA, according to Marlow, were updated language for defining biometric identifiers, provisions on employee biometrics, clearer data retention requirements and a reversal of the new BIPA standard on accruing claims.
BU's Hartzog is on the fence about a network of BIPA copycats. On one hand, the private right of action that comes with the framework is proving effective with organizational accountability and oversight. But he said the notice-and-consent model BIPA is based on "prioritizes individual informational self-determination at the expense of more robust, collective, relational, and design-based rules and outright prohibitions."
"I worry about continuing to prioritize consent and transparency when what we need are nonwaivable, substantive prohibitions that will protect people no matter what they choose," Hartzog added. "As I’ve said elsewhere, BIPA is a guide not just because of what it provides but also because of what it lacks."