Beware of the “Data Privacy Biometrics Ditch” That May Cost Your Organization Millions
Your organization is doing well.
Your organization has the appropriate policies and procedures in place, the legal team is on top of the compliance for your company, and your technical resources are humming along just fine. Then, BAM, you get sued for falling into the Data Privacy Biometrics Ditch! As a result of falling into the Biometrics Ditch, your organization may have to pay a multimillion-dollar fine or settlement and change its operational data practices to avoid the same fate.
So what is the Data Privacy Biometrics Ditch? The Data Privacy Biometrics Ditch is the sunken place that organizations find themselves in when they implement emerging technologies that capture or retain biometric information about individuals but do not make the fundamental changes in their policies, procedures, and operations to address the Data Privacy risks involved with these emerging technologies. There is nothing wrong with implementing emerging technologies; in fact, many companies do so with great success but beware of the blind spots that may land your organization in the Data Privacy Biometrics Ditch and cost your organization millions of dollars in the process.
The biggest Data Privacy Biometrics Ditch many organizations have fallen into in the US over the last few years is The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1. BIPA is the most dreaded four pages of Data Privacy regulations that organizations face today in the US, but why?
BIPA has a few unique features not yet found in other Data Privacy regulations in the US, including:
BIPA is a harm-based law, not a “consumer-based law,” as are many Data Privacy laws in the US, which means that individuals do not have to be your customers to allege harm
BIPA allows individuals to sue and get financial redress, “a private right of action,” while other laws may limit the ability of individuals to sue for money
Through the years, the harm in BIPA cases has been calculated “per biometric data capture” at $1,000 per violation and $5,000 per violation if the violation is intentional or reckless per capture, which can make potential fines astronomical
BIPA is a “general applicability law,” which means that things like the proposed Federal ADPPA will not preempt it since consumer laws are not broad enough to cover people who are not consumers, as is the case with BIPA
Employees are not exempted from suing under BIPA for biometric data capture, but this employee exemption would apply in most states since employees are not considered “customers”
What Organizations have recently fallen into the “Biometrics Ditch,” and how much money did they lose?
At a state level, no other law in the US has extracted as much money from organizations that have danced with BIPA and lost. Here are just a few BIPA settlements (but not all of the settlements) in recent years:
650 million dollars - Facebook (Meta) - Alleged biometric capture collection and storage of digital face scans without required disclosures of data use or data retention
100 million dollars - Google - Alleged biometric capture collection and storage of digital face images and scans without required disclosures of data use or data retention
95 million dollars - TikTok - Alleged biometric capture of user attributes, ranging from eye color, facial expressions, and physical gestures, without disclosure to the individuals
50 million dollars - McDonald’s - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent
35 million dollars - Snap - Alleged biometric capture of face prints without required disclosures of data use or data retention
25 million dollars - ADP - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent
9 million - Octapharma Plasma - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent
6 million - BioLife - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent from donors
4.5 million - Personalizationmall.com - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent
3.3 million - UKG Biometrics - Alleged biometric capture of employee thumbprints and face data without required disclosures or consent
Why should my organization still be concerned about the Data Privacy Biometrics Ditch if we don't collect biometric data or do not collect data on Illinois residents?
Due to the success of Illinois cases in extracting high-dollar settlements from BIPA, other states will likely enact laws like this in the future. Texas and Washington also have biometric laws that move cases through their courts without a private right of action. Beware because states can pass these laws more rapidly than the Federal government, so we will likely see more laws like BIPA on a state level. Also, biometrics is a multi-billion dollar industry, and many technological innovations may have biometric data capture capabilities that organizations want to implement now and in the future. Organizations must be prepared to ask the right questions before implementing, collecting, and retaining biometric data before they fall into the Data Privacy Biometrics Ditch. Organizations need to remember that implementing these emerging technologies using biometrics is a data problem that can have legal ramifications, not a legal problem that has data ramifications. When organizations can approach this data problem proactively before a court case is filed, they can avoid the Data Privacy Biometrics Ditch and make Data Privacy and Business an advantage.
DOWNLOAD THIS BIPA CHECKLIST
These Seven Questions Can Save You From a Biometrics Privacy Lawsuit
This checklist was created in collaboration between Debbie Reynolds, " The Data Diva" and Peter Counter, Editor in Chief at FindBiometrics & Mobile ID World; Culture and Technology Writer and future "The Data Diva" Talks Privacy Podcast guest. Enjoy