Morrison & Foerster partner Julie O'Neil (right) and associate Max Phillip Zidel. l Julie O'Neill, left, and Max Phillip Zidel, right, of Morrison & Foerster.
|

The following Q&A is an excerpt from Law.com's What's Next briefing, a weekly newsletter on the future of law. Click here to learn more. 

For those tracking litigation over biometric data, a decision from the Illinois Supreme Court in late January was a game changer. In Rosenbach v. Six Flags Entertainment, the court held that a violation of the state's Biometric Information Privacy Act, or BIPA, is enough to confer standing even without a concrete showing of harm. Cue the class actions!

Morrison & Foerster partner Julie O'Neill and associate Max Phillip Zidel recently wrote about the decision, highlighting the emerging conflict on BIPA between state and federal courts. We checked in for their take on the standing question and to ask how companies can collect and use biometric data without becoming an easy target for litigation.

➤ What types of businesses need to be aware of the laws around biometric data? Are more companies collecting this data than one might assume?

All companies that in any way collect or use biometric data (e.g., facial scans, iris/retinal scans, fingerprints, voiceprints or any other identifier derived from biological characteristics), regardless of whether such data is, for example, from consumers, employees, or other individuals, need to consider biometric privacy laws. We are seeing more and more companies come to us to carry out a preliminary assessment under the various biometric privacy statutes. Some of the uses of biometric data we are seeing are more overt, such as companies employing facial recognition technology in their consumer-facing apps. In other instances, there is more gray area, such as where clients ask us about identifying employees through photographs or video footage, or where a medical device company's activities do not fit perfectly within one of the exceptions. On the whole, we tend to see less of the former and more of the latter, but this could change as more and more companies think about building biometric access features into consumer-facing products and workplace processes.

➤ What makes the Illinois Biometric Information Privacy Act (BIPA) so significant in this emerging area?

BIPA stands out because of its private right of action. The act provides not only for actual damages, but also for statutory damages of up to $5,000 per violation, which makes it an attractive target for plaintiffs' attorneys seeking to bring a class action. As a result, we have seen a very large number of BIPA class actions in the past couple years, and this trend continues to accelerate—especially after the recent Illinois Supreme Court ruling discussed below. Given BIPA's status as the oldest and most active biometric privacy statute, it also comes as no surprise that many other states thinking of passing legislation in this area are looking to BIPA as a model. As more substantive case law under BIPA is developed by the courts (thus far it has mostly centered on the issue of standing), this case law could also serve as the foundation for the interpretation of similar laws in other states.

➤ The Supreme Court of Illinois ruled in January that an alleged violation of BIPA alone is sufficient for standing under Illinois law. Does that concern you?

A primary concern is the lack of clarity. The Supreme Court ruling contradicts a handful of other decisions coming out of the federal court, which have held that merely alleging a violation of BIPA is not enough to confer standing to sue under the statute. Of course, as a ruling on a strictly Illinois state law issue, the Illinois Supreme Court carries a great deal of weight; however, it is not yet clear whether federal courts sitting on the basis of diversity jurisdiction will attempt to try and move away from this ruling by characterizing it as one on a purely procedural matter, over which they retain their own jurisdiction. Further, the focus on procedural issues to date has meant that there is essentially no guidance or interpretation on what the various prohibitions and requirements under BIPA actually mean. For instance, the statute prohibits use of biometric information for profit, but what exactly does “profit” signify in this context? What if biometric data is simply being used to improve a consumer-facing product, which of course might indirectly lead to increased profits for the relevant company? All of the above make it difficult to assess the risks of liability under BIPA.

In any case, the Supreme Court of Illinois ruling means we are definitely going to see more activity in this area (in fact we already have), and that more than ever, organizations will need to be confident they are compliant with the various notice, consent, disclosure and other requirements under BIPA in order to avoid potentially significant liability. Without an explicit requirement for standing, it will be much easier for plaintiffs to form, settle and even prevail in large class actions on the basis of the most basic statutory violations—even in the absence of any actual harm whatsoever.

➤ Under current law, what steps should a company take if it plans to collect biometric data from employees? A company must first determine whether any of the state laws apply to its proposed collection of such data. The scope and coverage vary for each. Assuming that a law applies, a company must then determine how to comply with the applicable notice, consent, use, disclosure, and retention requirements. These are fairly similar across the laws, but there are some key differences. For instance, while all three require notice and consent for the collection and use of biometric data, BIPA is much more restrictive than its Washington and Texas counterparts.

Specifically, BIPA requires that notice be given and consent obtained from each employee in writing and that such notice include the specific reasons and intended duration for the collection and use of the data. In contrast, Washington and Texas do not prescribe any particular form of notice and consent. BIPA also requires that a company develop a publicly available written policy that includes a retention schedule and guidelines for the permanent deletion of biometric data, whereas the other two states have no such requirement.

A covered company must also closely review any restrictions on its ability to disclose the data. All three states generally prohibit such disclosure except where the employee has given consent or where the disclosure falls under an exception (such as complying with the law or completing a financial transaction requested by the employee). Unlike the others, however, BIPA also contains a wholesale prohibition on the sale or other disclosure of biometric data for profit, irrespective of whether an employee has consented.

Of course, these are only highlights of the requirements and nuances under the laws. The important takeaway for a company that proposes to collect biometric data is that it will have to carefully consider the applicable law(s) to determine whether any changes to its practices are necessary.

➤ Given the lack of clarity, would companies prefer to have a federal law that sets a national standard? In our experience, it is often easier for a company to comply with one federal standard, rather than a patchwork of state laws; however, federal consumer protection laws usually do not completely preempt state laws, such that compliance with perhaps similar but not identical standards is often necessary.

We are actively monitoring biometric privacy developments at both the state and federal levels. Just a couple weeks ago, on March 14, a bill was introduced in the U.S. Senate, aimed at regulating the collection and use of data in connection with facial recognition technology. Much like the existing state laws, the bill, if passed, would impose various notice, consent, use, disclosure, and retention requirements—though only with respect to one category of biometric data and solely to the extent such data is used for identification purposes. The bill has a couple novel elements, such as requirements aimed at preventing discrimination and other “offensive” processing in connection with the use of facial recognition technologies.

So far, the bill appears to have attracted a substantial amount of bipartisan and industry support, so we will be watching it closely.

➤ What about the GDPR? The GDPR treats biometric data as a form of “sensitive data,” which means that it is subject to heightened protections. The collection of sensitive data is generally prohibited, unless a company can rely on one of the exceptions provided under the GDPR. For example, it may be possible to collect biometric data with the explicit consent of the individual. Consent may not, however, be a valid option in the employment context, as European data protection authorities have generally taken the position that an employee is, by virtue of her position and the employer's power over her, unable to provide consent in the “freely given” manner required by the law.

READ MORE: