In January of 2021, a bipartisan group of New York State lawmakers proposed a comprehensive policy that places restrictions on the collection of biometric information by companies operating in the state. Assembly Bill 27, the Biometric Privacy Act, would allow for consumers to sue companies that improperly use or retain an individual’s biometric information. New York’s biometric act follows suit behind Illinois’ Biometric Information Privacy Act (BIPA), the first and most robust state law that guards against the unlawful collection and storing of biometric information. Like BIPA, Assembly Bill 27 was created to place regulations on a company’s handling of biometric data, such as fingerprints, voiceprints, retina scans, and scans of the hand and face geometry. Assembly Bill 27, however, does not cover writing samples, written signatures, photographs, or physical descriptions.
What Is Included?
The Biometric Privacy Act requires businesses collecting biometric identifiers or information to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric data. The destruction of the data must occur when the initial purpose for collecting the biometric data has been “satisfied,” or within three years of the individual’s last interaction with the company, whichever occurs first. This bill also includes a private right of action that would allow consumers to sue businesses for statutory damages up to $1000 for each negligent violation and $5,000 for each intentional or reckless violation.
Further, AB 27 requires companies to obtain written consent from individuals before collecting, purchasing, or obtaining biometric information and provide notification to those individuals about the specific purpose and length of time the data will collected, stored, and used. Companies are prohibited from selling, leasing, trading, and profiting from biometric information and strict restraints are placed on a business’s ability to disclose biometric information to a third party without consumer consent.
The Impact of Biometrics on Future Legislation
With the increased volume of biometric information being used by companies leveraging biometric-driven timekeeping systems and other technologies, the push for biometric privacy policies that govern the use of these technologies and promotes safeguards for employees is gaining momentum. Several states are also looking to amend their breach notification and security laws to include biometric identifiers. For example, New York State’s SHIELD Act, the breach notification law enacted in 2019, has already been expanded to include biometric data in its definition of private information.
At Beckage, we have a team of highly skilled lawyers that stay up to date on proposed and enacted legislation. With states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies.
*Attorney Advertising. Prior results do not guarantee similar outcomes. *
COVID-19 is accelerating company adoption of biometric technologies. With a global shift towards remote working, biometric technologies, which measure physiological, behavioral, and psychological characteristics, can promote, or at least monitor, productivity by recording employee performance. Facial recognition biometric systems have also been vital in contactless engagement, especially in the airline and retail sectors, and such systems will remain after the pandemic subsides. This burgeoning biometric industry is garnering interest from lawmakers. Given the firm’s technology-driven focus, Beckage has been tracking biometric laws and will continue to monitor legal and business developments surrounding biometric technologies.
Biometric Data and the Law
Unlike other personal data, such as passwords, social security numbers, and payment card information, biometric identifiers cannot easily be changed once breached. Because they are immutable by nature, regulations classify them as a sensitive class of personal data. Notable laws that govern biometric data include the E.U. Global Data Protection Regulation (GDPR) and U.S. state laws, including California’s comprehensive privacy law. Three states, Illinois, Texas, and Washington, have passed biometric specific laws. New York State recently introduced the Biometric Privacy Act, a bill that is nearly identical to Illinois’ BIPA, and other states, such as Arkansas and California have amended their breach notification laws to reflect biometric data as personal identifying information.
The first step to knowing whether biometric regulations apply to your business is understanding the definition of biometric data. The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.” Art. 4(14). Similarly, U.S. biometric laws protect biometric data characterized in terms of personal identifiers, including retina scan, iris scan, fingerprint, voiceprint, hand scan, and face geometry. For example, the Illinois Biometric Data Act (BIPA) defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Sec.10.
U.S. Biometric Litigation Trends
Recent rulings in biometric litigation indicate that BIPA currently drives the legal landscape on biometric data protection in the U.S. BIPA litigation is on the rise following the Illinois Supreme Court 2019 decision in Rosenbach v. Six Flags. The plaintiff in Rosenbach was the mother of a minor whose fingerprint was captured to verify his identity for entry to an amusement park owned by the defendant. The Court rejected the defendant’s allegations that the plaintiff had not suffered any actual or threatened harm. Consequently, the Court held a plaintiff can sue based on a mere technical violation of the law. This decision means that a person does not have to suffer actual harm to pursue a biometric suit under BIPA. Further, federal courts have agreed that failure to implement privacy policies outlining procedures for collection, retention, and destruction of biometric identifiers is sufficient to demonstrate a violation of the law. For example, in May 2020, the Seventh Circuit in Bryant v. Compass found the Rosenbach ruling instructive in holding the plaintiff can pursue a lawsuit against a vending machine operator if the vending machine installed at a workplace integrated biometric authentication in lieu of credit card payments.
The types of companies involved in BIPA litigation are diverse. Any company that collects, stores, or uses biometric information related to Illinois residents is subject to BIPA. To that end, no industry seems immune: plaintiffs have sued big tech companies using facial recognition technologies and smaller companies, such as nursing homes, using fingerprinting systems for timekeeping. The Compass ruling illustrates that third-party vendors who provide biometric authentication systems in the workplace are within the reach of BIPA.
The diversity in cases signals the legislative impact of the law and spotlights the role of privacy policies and procedures. BIPA is the only biometric law in the U.S that allows individuals to sue a company for damages in amounts ranging from $1,000 to $5,000 per violation. Thus, the stakes can be high for companies without proper biometric data governance.
What should companies do?
To comply with the evolving BIPA compliance and other biometric laws, companies should work with experienced lawyers who understand biometric technologies and regulations to address the following controls and practices:
- Properly inform individuals or responsible parties about the purpose of collecting their biometric data.
- Properly inform individuals or responsible parties about the company’s biometric collection, retention, storage, and dissemination policies and procedures.
- Obtain written consent from individuals or their responsible party before collecting biometric data.
- Make the company’s written biometric policy establishing retention schedule and destruction guidelines publicly available.
A robust biometric compliance program should reflect current laws and be flexible and scalable to adapt to the changes laws that new biometric legal rules will inevitably bring to their privacy compliance programs. Beckage’s lawyers, who are also technologists, are equipped with the skills and experience to build a robust biometric compliance program. We stand ready to answer any of your questions.
*Attorney Advertising. Prior results do not guarantee future outcomes.
One of Beckage’s 2021 privacy predictions is the continued rise of biometric lawsuits and legislation, even outside Illinois’ BIPA. Case in point is a recent consent decree the Federal Trade Commission issued against EverAlbum, a California company, concerning its use of photo-tagging and facial recognition technologies.
The Claims Against EverAlbum Inc.
In its complaint, the FTC alleges that EverAlbum, Inc. violated Section 5 of the Federal Commission Act by making several misrepresentations concerning its App’s use of facial recognition technology (FRT). Specifically, the FTC alleged that:
- EverAlbum’s facial recognition feature was on by default. InFebruary 2017, EverAlbum launched a new feature in the Ever App, called ‘Friends’ that used facial recognition technology to group users’ photos by the faces of the people who appear in them and allowed users to “tag” people by name. EverAlbum allegedly enabled facial recognition by default for all mobile app users when it launched the ‘Friends’ feature.
- EverAlbum falsely claimed that users must affirmatively activate FRT. Between July 2018 and April 2019, EverAlbum allegedly represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. Although, beginning in May 2018, the company allowed some Ever App users—those located in Illinois, Texas, Washington and the European Union—to choose whether to turn on the face recognition feature, it was automatically active for all other users until April 2019 and could not be turned off.
- EverAlbum used users’ images to create a larger dataset to develop its FRT, and sold FRT services to enterprise clients. Between September 2017 and August 2019, EverAlbum combined millions of facial images that it extracted from users’ photos with facial images that EverAlbum obtained from publicly available datasets to create datasets for use in the development of its facial recognition technology. The complaint alleges that EverAlbum used the facial recognition technology resulting from one of those datasets to provide the Ever App’s “Friends” feature and also to develop the facial recognition services sold to its enterprise customers without disclosing this to users.
- EverAlbum Failed to delete photos from deactivated accounts. EverAlbum is also alleged to have promised users that the company would delete the photos and videos of users who deactivated their accounts. The FTC alleges, however, that until at least October 2019, EverAlbum failed to delete the photos or videos of any users who had deactivated their accounts and instead retained them indefinitely.
FTC v. EverAlbum Inc. Settlement Agreement
In the consent Agreement, the FTC requires EverAlbum to:
- Delete Certain User Information: Specifically, within 30-90 days of the agreement, EverAlbum must delete:
- The photos and videos of Ever App users who deactivated their accounts
- All face embeddings, data reflecting facial features that can be used for facial recognition purposes, the company derived from the photos of users who did not give their express consent to their use.
- Any facial recognition models or algorithms developed with EverAlbum users’ photos or videos
- Obtain Affirmative Express Consent from Users: EverAlbum must obtain affirmative express consent from users whose biometric information is collected.
Potential Application of EverAlbum Settlement
The FTC v. EverAlbum Inc. settlement sets a defacto standard for businesses who are collecting biometric information from consumers in the United States. Companies who use biometric data or facial recognition technology should observe the following takeaways from this settlement:
First, the settlement makes clear that facial recognition technology used on photographs is a regulated biometric practice. This is somewhat unclear under the Illinois BIPA statute, where defendants have argued that photographs are exempt from the law.
Next, as a defacto standard, the FTC is requiring that businesses make clear and conspicuous disclosures regarding their biometric practices. The Agreement defines clear and conspicuous as “not difficult to miss” and easily understandable by ordinary consumers, including in all the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication, even if the representation requiring the disclosure (“triggering representation”) is made through only one means.
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
- An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
- In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
- The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
Third, as a defacto standard, the FTC is requiring businesses that collect biometric information (such as photographs used for FRT) should obtain affirmative express consent from users before doing so. Although undefined in the agreement, in other contexts affirmative express consent may be accomplished through a written release or digital signature (BIPA), through an affirmative opt-in pop up for the specific purpose of making the biometric disclosure and obtaining consent.
Recommended Next Steps
Beckage recommends all companies that collect biometric information, including facial recognition technology, take several proactive steps in the wake of the EverAlbum settlement.
- Evaluate the use of pop-ups and opt-ins or written releases to obtain affirmative express consent for FRT practices in the United States (note, in IL, a written release is required).
- Evaluate default settings and deletion photo and biometric information deletion practices to ensure compliance with the EverAlbum settlement requirements.
Emerging technologies present opportunities for companies to better engage their customers, but also create new data privacy concerns. With some states looking to implement biometric privacy laws mimicking Illinois’ Biometric Information Privacy Act (BIPA), including New York Biometric Privacy Act, (AB27), companies collecting and using biometric technology, like FRT, should consult legal tech counsel to evaluate compliance with these emerging laws. Beckage attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. Our team can help your company implement and mitigate the risks associated with emerging technologies.
*Attorney Advertising. Prior results do not guarantee future outcomes.