FEATURED STORY October 15, 2021

Biometric Data Protection Laws - Coming to a Jurisdiction Near You

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

Companies are becoming increasingly aware of the reach of biometric privacy laws, which are designed to protect an individual‘s biometric identifiers or biometric information ("biometric data"), such as fingerprints, voiceprints, hand scans, and face geometry. Since the Illinois Biometric Information Privacy Act ("BIPA") became effective in 2008, a number of states have passed or are considering [1] similar laws protecting such biometric data.

BIPA contains strict requirements that prohibit private entities from collecting, capturing, or otherwise obtaining a person's (customers' or employees') biometric data unless it first:

  • Informs the subject in writing that biometric data is being collected or stored;
  • Informs the subject in writing of the specific purpose and length of term for which biometric data is being collected, stored, and used; and
  • Receives a written release[2] executed by the subject of the biometric data.

Businesses must also maintain a publicly-available policy establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collection or storage has been satisfied or within 3 years of last interaction, whichever occurs first.

Prior to collecting any biometric data, businesses should have a concrete understanding of the types of data it is collecting, where that data originates, where and how it is stored, and how it is destroyed. Businesses should thoroughly vet vendors that may collect, process, or store biometric data on its behalf. This understanding will form the basis for the business to properly evaluate how it will comply with BIPA and other biometric and data privacy laws.

Businesses should consider implementing the following practices to comply with BIPA and other state's biometric privacy laws:

  • Update current privacy policies, or create new ones, to address the business' biometric data practices, including providing individuals with information on the purpose of the collection, the retention schedule, and the guidelines for destroying biometric data. Ensure such policies are publicly available;
  • Obtain written consent from the consumer to collect biometric data. Businesses may be able to use a "click-wrap" agreement, although a more robust written release would be preferable;
  • Create and enforce a robust security protocol regarding biometric data and other personal information; and
  • Include provisions in vendor contracts granting audit rights and take advantage of such rights.
  • Where there is a legitimate business reason to store data, consider storing the data (i) off line, (ii) limit access within your organization, (iii) store the data in an encrypted manner and (iv) do not repurpose the data without getting consent anew.
  • Consider alternative tools if an employee or customer objects to the collection of the data to still achieve the purpose.

Despite a business' best efforts, complying with BIPA and other state's biometric privacy laws may prove difficult in certain circumstances. For example, Nuance Communications Inc. ("Nuance"), a speech and voice recognition technology company, was recently sued in Illinois for alleged violations of BIPA. Plaintiffs in that case (Voice Recognition Tech Co. Broke Ill. Privacy Law, Suit Says - Law360) allege that Nuance obtained and analyzed a customer's voiceprint to better direct her call, without the her written consent, in violation of BIPA.

It may be challenging to notify a customer in writing and obtain his or her written consent to collect biometric data in these circumstances. Thus, a business using these types of services may need to consider alternatives to comply with BIPA and other biometric privacy laws while providing innovative and valuable services to its customers.

[1] See our prior post regarding the New York Biometric Privacy Act.

[2] Written release means informed written consent. In the employment context, a release executed as a condition of employment is permissible.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Chiesa Shahinian & Giantomasi PC

U.S. Supreme Court Limits Patent Law Doctrine of Assignor Estoppel

By Jeffrey M. Weinick Chiesa Shahinian & Giantomasi PC October 27 , 2021

On June 29, 2021, the Supreme Court of the United States issued its ruling in Minerva Surgical, Inc. v. Hologic, Inc. limiting the patent law doctrine of assignor estoppel.

More From Cybersecurity

ICO Looking to G7 Countries to Consider Solution for Cookie Pop-Up Fatigue

By Sarah Pearce Paul Hastings LLP November 30 , 2021

On 7 September 2021, the UK’s data protection authority, the Information Commissioner’s Office (ICO), announced that it will call on the G7 data protection authorities during virtual meetings on 7 and 8 September to “work together to overhaul cookie consent pop-ups, so people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience”.

China's New Personal Information Protection Law and Other New Data Concerns

By Phoebe Yan Paul Hastings LLP November 30 , 2021

China’s top legislature, the Standing Committee of the National People’s Congress (“NPCSC”), passed the Personal Information Protection Law (“PIPL”) of the People’s Republic of China on August 20, 2021, and it will become effective on November 1, 2021.

Unprecedented Sanctions on Crypto Exchange Signal New Strategy against Ransomware Threats

By Kenneth M Breen Paul Hastings LLP November 30 , 2021

In an unprecedented action on September 21, 2021, the Department of Treasury (“Treasury”) blacklisted a Russian-based cryptocurrency exchange SUEX OCT, S.R.O. (“SUEX”), for allegedly facilitating transactions on behalf of ransomware actors and other cybercriminals.

Featured Stories
Publish Your Firm's Content on OnPractice

Become a publisher and expand your audience reach. More Info