October 15, 2021

Biometric Data Protection Laws - Coming to a Jurisdiction Near You

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

Companies are becoming increasingly aware of the reach of biometric privacy laws, which are designed to protect an individual‘s biometric identifiers or biometric information ("biometric data"), such as fingerprints, voiceprints, hand scans, and face geometry. Since the Illinois Biometric Information Privacy Act ("BIPA") became effective in 2008, a number of states have passed or are considering [1] similar laws protecting such biometric data.

BIPA contains strict requirements that prohibit private entities from collecting, capturing, or otherwise obtaining a person's (customers' or employees') biometric data unless it first:

  • Informs the subject in writing that biometric data is being collected or stored;
  • Informs the subject in writing of the specific purpose and length of term for which biometric data is being collected, stored, and used; and
  • Receives a written release[2] executed by the subject of the biometric data.

Businesses must also maintain a publicly-available policy establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collection or storage has been satisfied or within 3 years of last interaction, whichever occurs first.

Prior to collecting any biometric data, businesses should have a concrete understanding of the types of data it is collecting, where that data originates, where and how it is stored, and how it is destroyed. Businesses should thoroughly vet vendors that may collect, process, or store biometric data on its behalf. This understanding will form the basis for the business to properly evaluate how it will comply with BIPA and other biometric and data privacy laws.

Businesses should consider implementing the following practices to comply with BIPA and other state's biometric privacy laws:

  • Update current privacy policies, or create new ones, to address the business' biometric data practices, including providing individuals with information on the purpose of the collection, the retention schedule, and the guidelines for destroying biometric data. Ensure such policies are publicly available;
  • Obtain written consent from the consumer to collect biometric data. Businesses may be able to use a "click-wrap" agreement, although a more robust written release would be preferable;
  • Create and enforce a robust security protocol regarding biometric data and other personal information; and
  • Include provisions in vendor contracts granting audit rights and take advantage of such rights.
  • Where there is a legitimate business reason to store data, consider storing the data (i) off line, (ii) limit access within your organization, (iii) store the data in an encrypted manner and (iv) do not repurpose the data without getting consent anew.
  • Consider alternative tools if an employee or customer objects to the collection of the data to still achieve the purpose.

Despite a business' best efforts, complying with BIPA and other state's biometric privacy laws may prove difficult in certain circumstances. For example, Nuance Communications Inc. ("Nuance"), a speech and voice recognition technology company, was recently sued in Illinois for alleged violations of BIPA. Plaintiffs in that case (Voice Recognition Tech Co. Broke Ill. Privacy Law, Suit Says - Law360) allege that Nuance obtained and analyzed a customer's voiceprint to better direct her call, without the her written consent, in violation of BIPA.

It may be challenging to notify a customer in writing and obtain his or her written consent to collect biometric data in these circumstances. Thus, a business using these types of services may need to consider alternatives to comply with BIPA and other biometric privacy laws while providing innovative and valuable services to its customers.

[1] See our prior post regarding the New York Biometric Privacy Act.

[2] Written release means informed written consent. In the employment context, a release executed as a condition of employment is permissible.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

CSRD Update: Corporate Sustainability Reporting Directive (CSRD) adopted

By Dr. Philipp Grenzebach McDermott Will & Emery November 30 , 2022

In November 2022, the Corporate Sustainability Reporting Directive (CSRD) was adopted by the EU Parliament (Parliament) and approved by the European Council (EC).

IRS Issues Critical Wage and Apprenticeship Guidance under Inflation Reduction Act of 2022

By Carl J. Fleming McDermott Will & Emery November 30 , 2022

The US Department of the Treasury just released its guidance on the labor requirements that must be fulfilled in order to maintain the credit for the full amount for clean energy and infrastructure projects under the Inflation Reduction Act of 2022 (Act).

Featured Stories