February 17, 2021

CSG Law Alert: Biometric Data Protection Laws - Coming to a Jurisdiction Near You

Companies are becoming increasingly aware of the reach of biometric privacy laws, which are designed to protect an individual‘s biometric identifiers or biometric information (“biometric data”), such as fingerprints, voiceprints, hand scans, and face geometry. Since the Illinois Biometric Information Privacy Act (“BIPA”) became effective in 2008, a number of states have passed or are considering¹ similar laws protecting such biometric data.

BIPA contains strict requirements that prohibit private entities from collecting, capturing, or otherwise obtaining a person’s (customers’ or employees’) biometric data unless it first:

• Informs the subject in writing that biometric data is being collected or stored;
• Informs the subject in writing of the specific purpose and length of term for which biometric data is being collected, stored, and used; and
• Receives a written release² executed by the subject of the biometric data.

Businesses must also maintain a publicly-available policy establishing a retention schedule and guidelines for permanently destroying biometric data when the initial purpose for collection or storage has been satisfied or within 3 years of last interaction, whichever occurs first.

Prior to collecting any biometric data, businesses should have a concrete understanding of the types of data it is collecting, where that data originates, where and how it is stored, and how it is destroyed. Businesses should thoroughly vet vendors that may collect, process, or store biometric data on its behalf. This understanding will form the basis for the business to properly evaluate how it will comply with BIPA and other biometric and data privacy laws.

Businesses should consider implementing the following practices to comply with BIPA and other state’s biometric privacy laws:

• Update current privacy policies, or create new ones, to address the business’ biometric data practices, including providing individuals with information on the purpose of the collection, the retention schedule, and the guidelines for destroying biometric data. Ensure such policies are publicly available;
• Obtain written consent from the consumer to collect biometric data. Businesses may be able to use a “click-wrap” agreement, although a more robust written release would be preferable;
• Create and enforce a robust security protocol regarding biometric data and other personal information; and
• Include provisions in vendor contracts granting audit rights and take advantage of such rights.
• Where there is a legitimate business reason to store data, consider storing the data (i) off line, (ii) limit access within your organization, (iii) store the data in an encrypted manner and (iv) do not repurpose the data without getting consent anew.
• Consider alternative tools if an employee or customer objects to the collection of the data to still achieve the purpose.

Despite a business’ best efforts, complying with BIPA and other state’s biometric privacy laws may prove difficult in certain circumstances. For example, Nuance Communications Inc. (“Nuance”), a speech and voice recognition technology company, was recently sued in Illinois for alleged violations of BIPA. Plaintiffs in that case (Voice Recognition Tech Co. Broke Ill. Privacy Law, Suit Says – Law360) allege that Nuance obtained and analyzed a customer’s voiceprint to better direct her call, without the her written consent, in violation of BIPA.

It may be challenging to notify a customer in writing and obtain his or her written consent to collect biometric data in these circumstances. Thus, a business using these types of services may need to consider alternatives to comply with BIPA and other biometric privacy laws while providing innovative and valuable services to its customers.

¹ See our prior post regarding the New York Biometric Privacy Act.

² Written release means informed written consent. In the employment context, a release executed as a condition of employment is permissible.