The BIPA Effect: Privacy Laws are Hitting Back Against Biometric Non-Consent
Biometric privacy laws are evolving rapidly in the US as more states seek to protect their residents' rights and interests in their biometric information. Companies and organizations that collect or use biometric information should be aware of the current and potential legal obligations and risks they face in different jurisdictions and take appropriate measures to comply with them. This article highlights some of the top BIPA settlements and provides a five-step plan to help organizations ensure compliance without sacrificing the use of the biometric technologies.
Biometric data, such as fingerprints, facial scans, iris scans, voiceprints, DNA and other unique biological identifiers, are increasingly used by companies for various purposes, such as authentication, security, marketing and personalization. For example, Whole Foods has implemented central biometric technologies that analyze a customer's gait. This means unique movement characteristics for how the user walks is being collected, stored and analyzed to provide a more seamless shopping experience. This data, however, poses significant risks to consumers' privacy and security, as they can be stolen, hacked, sold or misused by unauthorized parties.
To protect consumers' rights and interests in their biometric data, Illinois enacted the Biometric Information Privacy Act (BIPA) in 2008. BIPA is a landmark law that sets a high standard for biometric privacy protection in the United States. It is considered the most stringent biometric privacy law in the US as it requires companies to obtain written consent from consumers before collecting, storing or using their biometric data. The Privacy Act grants individuals the right to sue private entities for violations of the law and seek statutory damages up to $5,000 for each violation.
Since BIPA came onto the scene, 27 states have enacted similar-modeled biometric privacy legislation. Only five states have no existing or pending legislation on biometric privacy: Georgia, Kansas, Michigan, Missouri, and South Dakota.
BIPA sets the standards for how companies must safeguard, disclose and dispose of biometric data, and prohibits companies from selling or profiting from biometric data. Since its passage, BIPA has triggered a wave of lawsuits against companies that use biometric technology without consent, especially in the fields of employment, social media, retail and entertainment. In 2019 alone, over 300 class-action cases were opened. Some of the more notable settlements include:
- A $650 million settlement by Facebook in 2021 for allegedly using facial-recognition technology to scan users' photos without their consent.
- A $228 million verdict by a jury in 2022 against BNSF Railway Company for allegedly requiring drivers to provide fingerprints each time they entered the railyard without their consent.
- A $92 million settlement by TikTok in 2021 for allegedly collecting and using users' facial scans for advertising purposes without their consent.
- A $35 million settlement by Six Flags in 2020 for allegedly scanning visitors' fingerprints for season passes without their consent.
These cases illustrate the potential legal and financial consequences of violating BIPA, as well as the growing awareness and activism of consumers regarding their biometric privacy rights. They also highlight the need for companies to comply with BIPA's requirements and best practices when using biometric technology.
Top 25 BIPA Lawsuits – Amount, Dates, & Modalities
- Facebook: $650 million, February 2020, face templates
- Google: $7.5 million, June 2020, face templates
- TikTok: $92 million, August 2020, face scans and voiceprints
- Snapchat: $40 million, August 2020, face scans
- Clearview AI: $35 million, September 2020, face scans
- Shutterfly: $6.75 million, October 2020, face templates
- Southwest Airlines: $3 million, October 2020, fingerprints
- Home Depot: $3 million, November 2020, fingerprints
- L.A. Tan Enterprises: $1.8 million, November 2020, fingerprints
- Peacock Foods: $1.5 million, December 2020, fingerprints
- Macy's: $1.5 million, December 2020, face scans
- Hilton Worldwide Holdings: $1.5 million, December 2020, fingerprints
- Lowe's Companies: $1.4 million, December 2020, fingerprints
- United Airlines: $1.4 million, December 2020, fingerprints
- Mariano's Fresh Market: $1.2 million, December 2020, fingerprints
- ABM Industries: $1.2 million, December 2020, fingerprints
- Wendy's International: $1.2 million, December 2020, fingerprints
- Dollar Tree Stores: $1.2 million, December 2020, fingerprints
- White Castle System: $1.2 million, December 2020, fingerprints
- Panera Bread Company: $1.2 million, December 2020, fingerprints
- Speedway LLC: $1.2 million, December 2020, fingerprints
- Kroger Co.: $1.2 million, December 2020, fingerprints
- Walgreens Co.: $1.2 million, December 2020, fingerprints
- CVS Pharmacy: $1.2 million, December 2020, fingerprints
- Target Corporation: $1.2 million, December 2020, fingerprints
AUTHENTICATION v IDENTIFICATION: Why It Matters
Biometric authentication and biometric identification are two very different ways of using biometrics to verify a person's identity. Traditional biometric authentication approaches compare a person's biometric data with a stored template (1:1) whereas biometric identification compares a person's biometric data with a database of templates (1:m). Privacy laws like BIPA aim to protect consumers from unauthorized collection and use of their biometric data, but many people are still unaware of the differences between biometric authentication and biometric identification and how they affect their privacy.
Biometric authentication is more privacy-preserving than biometric identification, as it does not require a central database of biometric templates and does not reveal the person's identity to third parties.
Biometric identification, on the other hand, can pose more privacy risks, as it can enable tracking, profiling, and surveillance of individuals without their consent. The most glaring concern is the potential for data breaches and misuse. Unlike passwords or PINs, biometric data is sensitive and personal, and once compromised, it cannot be easily changed or replaced. If hackers or unauthorized parties gain access to the biometric data, they could use it for identity theft, fraud, or other malicious purposes. Moreover, biometric data could be used for surveillance, profiling, or discrimination by governments or corporations without the consent or knowledge of the individuals.
The lack of transparency and choice for consumers to opt in and out of biometric identification programs is a challenge as well. Many consumers are not aware of how their biometric data is collected, stored, processed, shared, or deleted by the entities that use it. Furthermore, some consumers may not even have the option to opt out or to use alternative methods of authentication or identification, which is in stark contradiction with prevailing identity trends.
Unlike many countries, the Unites States does not have a federal law that covers biometric data privacy across all sectors and states. Instead, data privacy regulation is left to state and local governments, which have different and sometimes conflicting laws and standards. This creates confusion and uncertainty for both consumers and businesses that collect and use biometric data.
Five steps companies can take to ensure compliance with BIPA:
Conduct a biometric data inventory and audit to identify what biometric data are collected, stored and used, and for what purposes. Are you using biometrics locally on devices? Are you storing biometric templates in a centralized database?
Develop a written biometric data policy that informs your employees and customers about their rights and obligations under BIPA, and obtaining written consent from all users before enabling any solution that leverages biometrics.
Implement privacy-preserving technologies that do not collect or store personally identifiable information such as biometric data for authentication purposes.
Review and update the biometric data policy and practices regularly to reflect changes in technology, law and consumer expectations.
Monitor and maintain MFA policies as good practice with all factors including biometrics.
By following these steps, companies and organizations can not only avoid costly litigation and reputational damage under BIPA, but also enhance consumer trust and loyalty in their products and services that use biometric technology. Consumers can also benefit from BIPA by exercising their rights and choices regarding their biometric data, and by being vigilant and informed about how their biometric data are collected, stored and used by companies.
Our biometric data is not just another piece of information; it is a reflection of our identity and individuality. Let's protect it!