Add a bookmark to get started

2 May 20244 minute read

Booming biometrics: Emerging trends

While biometric technology becomes increasingly important in the evolving world of electronic authentication and fraud prevention, litigation under existing biometric privacy laws is becoming increasingly prevalent. States that already have such laws include Illinois, New York, Texas, and Washington; and even several cities (such as New York City and Portland, Oregon) have biometric privacy laws. These jurisdictions may soon be joined by Arizona, Connecticut, Hawaii, Kentucky, Maine, Maryland, Massachusetts, Minnesota, Missouri, Montana, Nevada, New Jersey, Pennsylvania, and Tennessee; all of which have pending biometric privacy legislation. Federal legislation has also been introduced in the space.

Illinois BIPA still a hotbed of actions

It is no surprise that Illinois, which became the first state to enact such a law in 2008, has quickly developed case law in this area, due in large part to the private right of action and broad scope of the Illinois Biometric Information Privacy Act (BIPA). BIPA has been fertile ground for consumer lawsuits which have predominantly taken the form of class actions in which plaintiffs accuse defendants of illicitly collecting biometric data.

Typical allegations within these actions include:

  • not informing affected individuals about the collection or storage of their biometric information,
  • not disclosing the retention period or the purposes of such collection
  • failing to obtain written consent and
  • not maintaining a public written policy detailing the retention schedule and the procedures for the eventual destruction of biometric data.

At issue: what is “biometric information”?

BIPA has defined “biometric information” to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” but courts are awash with actions that require them to determine whether the particular information gathered falls within the statute.

Courts are thus required to wrestle with whether something can be used to identify someone – for example, a “voiceprint” versus a “voice recording,” or facial geometry information versus a simple photograph. At least six BIPA cases have been decided in 2024 surrounding fingerprints and one involving voiceprints, and at least six more have centered on facial geometry.

Lawsuit trends

A significant trend in BIPA litigation is the number of lawsuits filed by employees against their employers. These lawsuits generally assert that employers unlawfully gathered employees’ biometric data, such as fingerprints, often for purposes such as tracking work hours and without observing the necessary BIPA stipulations.

Another large segment of BIPA-related actions surrounds the unauthorized collection, usage, or sharing of individuals' facial geometry or biometric information. Prominent targets of such actions include smartphone applications, photo storage services, and various technological products that scan users' faces, either for direct or indirect profit or to enhance facial recognition capabilities.

Legislative response

In response to the flood of litigation, Illinois legislators have introduced a number of potential amendments to BIPA that largely focus on excluding the collection of biometric information for certain purposes, such as complying with other Illinois employment laws or distinguishing and excluding information that is converted to a mathematical representation. Proposed amendments would eliminate statutory damages, reduce the statute of limitations, and exclude private entities with employees covered by collective bargaining agreements that establish different policies related to biometric information.

Risk mitigation

BIPA violations have been reported in contexts as diverse as remote proctoring services, customer and user identity verification, and voluntary provision of biometric data to third-party facial recognition databases. While companies may seek claims coverage for BIPA violations from their insurers, insurance providers frequently dispute such claims.

Legal interpretations of BIPA have been heavily shaped by court decisions that have treated BIPA violations as significant violations of an individual’s right to privacy of their own biometric data, rather than as technicalities. Courts have held that breach of the BIPA itself constitutes a harm sufficient to claim damages and that failure to satisfy BIPA's notice and consent requirements result in actual, tangible injuries, granting plaintiffs the standing to sue. (See our previous Insight on BIPA litigation.)

It is therefore imperative for any entity that may collect and/or store (either directly or indirectly) biometric data to thoroughly assess the collection, use, and storage of such data through the lens of applicable laws and regulations.

Learn more about this rapidly shifting legal landscape by contacting any of the authors.