Illinois' Biometric Information Privacy Act (BIPA) has been making headlines recently as companies face class-action lawsuits for their mishandling or inappropriate collection of biometric data, especially as it relates to employees. While BIPA is taking the spotlight, it is not the only law of its kind, and it's likely that more will follow as regulations amass.
Illinois' BIPA, enacted in 2008, was the first law addressing the protection of biometric data.The law requires informed consent prior to collection, a limited right of disclosure, and mandates protection obligations and retention guidelines. It prevents the selling of biometric data to third-parties and creates a private right of action for individuals.
UPDATE: In January 2019, the Illinois Supreme court ruled in favor a woman who filed suit against Six Flags after her 14-year-old son's fingerprints were collected without permission. Six Flags argued that there was no appreciable "harm" from the collection of his fingerprints, but the Supreme Court justices wrote that she can be considered an "aggrieved person" without any harm because the fingerprints were collected without consent. This decision will impact over 200 similar BIPA cases currently being tried. Notably, the only route of enforcement authorized by BIPA is a private right of action.
The Texas Capture or Use of Biometric Identifier statute, enacted in 2009, has a more specific application than BIPA. Texas BIS applies only to biometric identifiers that are captured for a commercial purpose, though the definition of "commercial purpose" is not provided. Unlike Illinois, there is no private right of action in Texas, and the attorney general is the only individual with authority to enforce the law.
Washington state's Biometric Identifiers Law, enacted in mid-2017, does not apply to employers, but to businesses collecting biometric data for commercial uses. Like Texas' BIS, the attorney general is the only individual in Washington with authority to enforce this law. The law prohibits "enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." It places restrictions on retention and disclosure of biometric information with third-parties, and requires that businesses "take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers".
New York's Labor Law, Section 201-a prohibits employers from requiring fingerprinting of employees as a condition of securing employment or continuing employment. Littler explained that the New York Department of Labor previously responded to requests for clarification on the application of this law to biometric timeclock devices using fingerprints. Guidance from the NYDOL suggested that requiring employees to use a fingerprint timeclock is a violation of this section, but the use of an instrument that did not scan surface details (i.e. fingerprints) would be permitted.
If your organization is collecting biometric data in any form, are you confident that your collection is in line with state-specific biometric laws? Are you obtaining informed consent where appropriate? Are you collecting only approved forms of biometric data?
It's easy to get lost in the chaos of slightly varied data privacy and cybersecurity regulations. Jordan Lawrence helps clarify your obligations, understand the who, what, where, why, and how of your data collection practices and determine which regulations apply to your organization, so you can ensure defensible compliance.