The New Biometric Data Ruling You Need to Know About!

Authentication through biometrics—such as fingerprinting or iris scanning—is growing rapidly. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA) and became the first state to regulate the collection and use of this kind of data.

Recently, the Illinois Supreme Court made it much easier for plaintiffs to show harm under BIPA. This means we’ll likely see a significant rise in the number of lawsuits alleging violations.

The Trouble with Biometrics

While convenient, there are several drawbacks to using this data to authenticate a user. Biometrics cannot be changed, like a password or government-issued identification number, if compromised. Consequently, lawmakers continue to regulate the collection, use, storage, and destruction of this sensitive data.

BIPA Basics

Generally, BIPA requires organizations to give written notice and receive consent from the individuals whose biometric data is being collected or used. Biometric identifiers include fingerprints and voiceprints as well as retina, iris, hand, and facial geometry scans.

Companies are required to publish a privacy policy describing their biometric data retention policy. BIPA also gives individuals a private right of action to sue companies and obtain damages for violations.

Technical Violations Benefit Plaintiffs

Rosenbach v. Six Flags significantly changed the litigation landscape regarding biometric data handling. According to the Illinois Supreme Court, an individual could be “aggrieved” simply by a technical violation of BIPA even without suffering an actual injury or damage.

Prior to this case, plaintiffs had to show actual harm to collect damages. In short, this decision makes it much easier for plaintiffs to successfully sue companies for BIPA violations.

Practical Advice

This recent decision highlights the importance of notice and consent procedures related to collecting biometric information. Here are some things you can do today.

  • If you collect biometric data, get familiar with BIPA requirements and other biometric privacy laws (e.g. Texas).
  • Provide adequate informed notice and receive written consent before collecting or using biometric data.
  • Review your privacy policy for notice and consent procedures designed to educate individuals about the company’s privacy practices.
  • Review vendor relationships and determine whether third parties have access to or use your biometric data. If so, make sure you disclose that in your privacy policy!
  • Train your employees to properly handle biometric data.