Biometric technology faces litigation.
Biometrics are facing a growing backlash from consumers, courts and regulators. In May, San Francisco became the first US city to ban the use of facial-recognition technology by local agencies.
A January ruling by the Illinois State Supreme Court has prompted a wave of lawsuits over the use of biometric data for such tasks as employee time-keeping and security verification. Illinois’s 2008 Biometric Information Privacy Act (BIPA) requires written consent to collect and store an individual’s data, and aggrieved parties can sue. In reversing an appeals court decision, the state Supreme Court ruled that a violation of BIPA’s notice and consent provisions alone, without proof of actual harm, was enough for a person to be considered an “aggrieved party” under the law. Since then, nearly 300 lawsuits have been filed against employers in the state, according to Justin Kay, partner at law firm Drinker Biddle & Reath.
At least two other states have similar biometrics laws and another half-dozen are considering them. An increasing number of states are also passing broad privacy laws similar to California’s Consumer Privacy Act (CCPA), which goes into effect in January 2020, covering biometrics. “Biometric information tends to be included in the definition of personal information in all those proposals,” says Kay. “A lot of companies are concerned about that and will be watching very carefully” what happens when CCPA goes into effect. At the national level, a facial-recognition data privacy bill was proposed in Congress in March but has stalled.
Under the EU General Data Protection Regulation, which went into effect in May 2018, biometric data is considered a sensitive category requiring more robust protection. The GDPR defines biometric data broadly and requires the person’s consent for use of such data, except in special circumstances, says Robyn Chatwood, partner in the Global Privacy and Cyber Security Practice at Denton’s Australia.
Some countries are legislating additional protections. In March, France’s data protection authority, the Commission Nationale de l’informatique et des libertés, published a model regulation that specifies what biometric data has work-related purposes and how long it can be retained. It also requires companies to show why they need to use employee biometric data rather than less-intrusive technologies.