Only three U.S. states have laws protecting biometric data: Illinois, Texas, and Washington.
Of those, Illinois’s BIPA (Biometric Information Privacy Act) is the most rigorous, and its rules have led to almost 2,000 class action lawsuits being filed since 2017.
Meanwhile, the penalties related to these complaints have been staggering, and rival the much-discussed disciplinary powers enshrined in the EU GDPR (General Data Protection Regulation).
For instance, in 2020, Facebook agreed to pay $650 million to settle a BIPA class action involving its use of facial recognition software. And in October last year, a jury ordered BNSF Railway to pay $228 million after it was accused of collecting truck drivers’ fingerprints without their consent.
Although that ruling was recently vacated, it nonetheless demonstrates the confidence with which decision-makers make rulings on the safety and security of biometric data.
Such is the popularity of legislation on this topic that another 11 states are considering similar laws: Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, and Washington.
Unlike typical data privacy protections, biometric laws are likely to engender more frequent litigation for two reasons.
First, as presently written, most allow for civil actions to recover actual damages, including punitive damages. This opens the door to class actions for collecting biometric information.
Second, some laws allow for liquidated statutory damages. These allow plaintiffs to get around the problems associated with two U.S. Supreme Court cases: Spokeo, Inc. v. Robins and TransUnion LLC v. Ramirez.
In these cases, the court held that a plaintiff in federal court must show “concrete harm.” This could include physical, monetary, and reputational harm. Potential or speculative harm does not count.
There is a growing trend toward favoring statutory damages in relation to data protection. This means that every violation of a particular law will result in concrete monetary damages.
Statutory liquidated damages allow a court to take jurisdiction of a case for all plaintiffs affected by the violation.
For example, in Rosenbach v. Six Flags Entertainment Corp., the defendant collected the plaintiff’s fingerprints without permission for admission to the park’s rides.
A state court decided that the plaintiff could maintain the action even when there was no actual harm or injury. Violation of the law was sufficient. The law also contained statutory damages.
There are relatively few instances of these rulings in relation to biometric data, but that could soon change – particularly as the use of, and controversies surrounding, these types of data increase.
What matters is how biometric data is defined and whether the courts consider there to be significant differences in comparison to other forms of sensitive data.
After all, ‘sensitive data’ is a long-established term, and it typically includes things that would be defined specifically as biometric data – such as fingerprints or retinal scans.
Unfortunately, many U.S. organizations have yet to realize that the rules are now much tougher regarding the collection and processing of personal data.
But until organizations recognize the true liability involved, they will put themselves and their customers at risk.