Chicago, Ill. (August 18, 2021) - In 2008, Illinois became the first state to regulate the collection and storage of biometric information amidst the advent of pay-by-touch technologies. Nearly 13 years later, as workers across the country return to their workplaces following a global pandemic and have their temperature and other vitals screened, many state legislatures are busy enacting or amending laws pertaining to biometric data. Below is a survey of the existing legal landscape as well as some noteworthy developments across different jurisdictions. Lewis Brisbois continues to closely monitor this rapidly evolving area of the law and remains uniquely poised to assist organizations with the inevitable legal challenges associated with the utilization of biometric information. 

Illinois

The first of its kind, the Illinois Biometric Information Privacy Act (BIPA) requires private entities that obtain biometric identifiers or information to first: (1) inform the person in writing that their information is being collected and stored; (2) inform the person in writing of the specific purpose and term for collection and storage; and (3) secure a written release from the person. See 740 ILCS 14/15. The disclosure of an individual's biometric information or identifiers is also strictly prohibited unless: (1) the private entity has obtained the person's consent; or (2) an exception applies (i.e., a state or local government agency is the collecting or storing entity). Further, private entities are required to develop a public and written retention schedule, with biometric information being destroyed when the purpose for collection has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.

BIPA remains the most stringent and notorious biometric law in the country due to its private right of action, which allows individuals and classes to sue companies directly when they believe their rights under the law have been violated. Specifically, a person may file suit to recover statutory damages of $1,000 per negligent violation or $5,000 for each intentional or reckless violation, in addition to reasonable attorneys' fees and costs. In order to establish standing to bring suit, a person need not show actual harm, but rather a mere procedural violation is sufficient. In turn, this has led to a tidal wave of litigation. Courts in Illinois are currently considering whether the Illinois Workers' Compensation Act preempts BIPA claims stemming from the workplace and whether the appropriate statute of limitations for BIPA claims is one, two, or five years.

Legislation: 740 ILCS 14/15
Overview of Law: Requires private entities to: (1) give notice; (2) inform the person of the specific purpose and term for collection and storage; and (3) secure a written release from the person. Private right of action; $1,000 per negligent violation or $5,000 for each intentional or reckless violation.

Texas

A year after the enactment of BIPA, Texas passed its own biometric privacy statute into law, the Capture or Use of Biometric Identifier Act (CUBI). See Tex. Bus. & Com. Code §503.001. Similar to BIPA, prior to the "capture" of any biometric identifiers, businesses must first: (1) provide notice; and (2) obtain consent. Likewise, CUBI mandates for companies to destroy biometric identifiers within a "reasonable time" to be no later than one year after the initial purpose for collecting the biometric identifier has been satisfied. This law also prohibits the sale, lease, or disclosure of biometric data in a company's possession absent an exception applying.

In contrast to BIPA, CUBI does not contain a private right of action. Instead, enforcement of the statute rests exclusively with the Texas Attorney General. However, compliance for entities doing business in Texas should still be taken seriously, as CUBI violations can carry civil penalties of up to $25,000 per occurrence.

Legislation: Tex. Bus. & Com. Code §503.001
Overview of Law: Prior to collection of biometric information, businesses must first: (1) provide notice and (2) obtain consent. Enforced exclusively by Texas Attorney General; civil penalties of up to $25,000 per violation.

Washington

Washington became the third state to enact a specific biometric privacy law in 2017. See Wash. Rev. Code § 19.375.020. This law prohibits any company or individual from entering biometric data "in a database for a commercial purpose, without first providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose." Unless given notice and consent, an individual or company "may not sell, lease, or otherwise disclose the biometric identifier to another person for a commercial purpose." Importantly, unlike the Illinois and Texas statutes, Washington's law contains a broad "security exception," exempting those persons that collect, capture, enroll, or store biometric identifiers in furtherance of a "security purpose."

Like CUBI, Washington's biometric privacy law does not contain a private right of action for suits to be brought by individual plaintiffs. Rather, enforcement of violations, which are treated as per se unfair or deceptive trades and practices, are left to the discretion of the Washington Attorney General.

Legislation: Wash. Rev. Code § 19.375.020
Overview of Law: Persons must: (1) give notice; (2) obtain consent; and (3) provide mechanism to prevent use. Exemption for "security purpose" use. Enforced exclusively by Washington Attorney General as a deceptive trade or practice.

Portland, Oregon

In a milestone move, the city of Portland, Oregon enacted a prohibition on the use of facial recognition technology by private entities in places of "public accommodation" effective January 1, 2021. See Portland City Code, Title 34 - Digital Justice, Chapters 34.10.010-34.10-050. "Face Recognition" is defined broadly in the ordinance as "automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search)." Only three exceptions apply: (1) where the private entity must comply with federal, state, or local laws; (2) for persons to verify/access their smart devices; or (3) for use in social media applications.

This measure is likely to usher in a new wave of lawsuits and class actions with its creation of a private right of action. A person bringing suit under the ordinance may recover any damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater, plus attorneys' fees.

Legislation: Portland City Code, Title 34 - Digital Justice, Chapters 34.10.010-34.10-050
Overview of Law: Ban on the use of facial recognition technology by private entities in places of public accommodation. Private right of action; $1,000 per day for each day of violation.

New York City

On July 9, 2021, with its Biometric Identifier Information Law taking effect, New York City became the most recent jurisdiction to add to the growing list of restrictions and obligations on the use and collection of biometric information. See City of New York Administrative Code, Title 22, Chapter 12. The law prohibits "commercial establishments" - such as theaters, stadiums, arenas, racetracks, museums, amusement parks, and observatories - from collecting, retaining, storing, or sharing their customers' biometric information or identifiers without prior disclosure. Businesses that ascertain biometric identifiers or information are also required to display conspicuous signage indicating that collection is occurring. Notably, the law does not require employers to obtain prior written consent from employees prior to biometric data collection.

This code provides a private right of action for violations of both the signage requirement and the prohibition on selling or sharing biometric information. Distinctly, there is also a 30-day notice and cure provision for the signage requirement. Individuals can only file a claim after giving notice of the claimed violation to the business and allowing the business 30 days to state, in writing, that a notice has been posted and that no future violations will occur. However, there is no waiting period for suits based on a violation of the prohibition on sharing or selling information without prior disclosure. Prevailing plaintiffs may recover $500 in damages for violations of the signage requirement, while violations for the prohibition on selling or sharing biometric identifier information are $500 in the event of a negligent violation or $5,000 if the violation is found to be willful or intentional.

Legislation: City of New York Administrative Code, Title 22, Chapter 12
Overview of Law: "Commercial establishments" prohibited from retaining, storing, or sharing their customers' biometric information or identifiers without disclosure or signage. 30-day cure period for signage violations. Private right of action; $500 for signage or negligent violations and $5,000 for willful or intentional violations.

PROPOSED LEGISLATION

Illinois

Since its enactment, litigation under BIPA has continued to increase significantly, leading to nearly one thousand filed actions, staggering settlement amounts, and an array of legal issues. Several recently proposed BIPA amendments seek to curb the momentum of these lawsuits. All prior attempts to amend BIPA have failed.

Removal of the Private Right of Action

The notoriety and potency of Illinois' BIPA law primarily stems from its private right of action, which has allowed individuals or classes to sue companies directly when they believe their rights have been violated. With recovery of statutory damages of $1,000 per negligent violation or $5,000 if the violation is deemed intentional or reckless, plaintiffs' attorneys have had plenty of incentive to aggressively pursue claims.

Illinois House Bill 560, introduced on February 2, 2021, would significantly alter this landscape by deleting BIPA's provisions pertaining to a private right of action for individuals. Instead, if passed, the bill would leave enforcement of BIPA violations entirely to the Illinois Department of Labor and the Illinois Office of the Attorney General. In effect, this would likely lead to a dramatic decrease in the filing of BIPA lawsuits.

Elimination of Per Violation Damages

The BIPA floodgates were furthered opened following the Illinois Supreme Court's decision in Rosenbach v. Six Flags Entertainment Corp., where the court held that plaintiffs did not need to allege any actual injury or adverse effect to obtain damages. Rather, a mere technical violation of BIPA alone sufficiently qualified a person as "aggrieved" for purposes of the act and provided standing to sue. With this standard, several plaintiffs have pursued damages on a "per violation" theory - meaning that each and every time a BIPA violation occurs, an individual is entitled to a separate liquidated damages award.

While courts have yet to settle the merits of this concept, Illinois House Bill 3414 aims at providing an answer. Indeed, this bill would delete BIPA's language allowing a prevailing party in an action to recover for each violation of the Act. Instead, it would consider continuing violations of BIPA or violations of separate provisions of BIPA to the same individual as the same occurrence. In turn, this would greatly alleviate the potential exposure entities would face as a result of BIPA violations.

30-Day Cure Period

Finally, Illinois Senate Bill 300 and Illinois House Bill 559 would alter the rigid and strict application of BIPA. Specifically, these amendments would require an aggrieved individual to give a business notice of the alleged BIPA violation 30 days prior to filing a lawsuit. If, in those 30 days, the business "cures" those alleged violations, the individual would be barred from initiating litigation. If, however, the business continues to violate the individual's rights under BIPA, that individual is then free to initiate an action and seek damages.

Legislation: 2021 IL H.B. 560
Overview of Law: Eliminates private right of action for persons to directly sue private entities for violations.

Legislation: 2021 IL S.B. 300, 2021 IL H.B. 559
Overview of Law: Implements a 30-day cure period for alleged violations before a lawsuit can be initiated.

Legislation: 2021 IL H.B. 3414
Overview of Law: Deletes language allowing a prevailing party to recover damages "per violation."

Massachusetts

Two pieces of legislation - 2021 S.D. 269 and 2021 S.B. 220 - are currently making their rounds in the Massachusetts General Court. These bills, collectively called the "Biometric Information Privacy Act," largely model BIPA. They prohibit private entities from collecting, storing, or otherwise obtaining a customer's biometric information unless they: (1) inform the individual that the information will be collected; (2) inform the individual in writing of the specific purpose and length of time the information will be stored; and (3) receive written consent from the individual. Likewise, private entities would be prohibited from selling, leasing, trading, or otherwise profiting from a person's biometric identifier or information.

Should this bill pass, violations would be subject to private and public enforcement, as the current text contains both a provision for a private right of action as well as an authorization for suits to be brought by the Massachusetts Attorney General. Damages are set to be no less than $5,000 per violation or actual damages suffered, whichever is greater, plus attorneys' fees and costs.

Legislation: 2021 S.D. 269, 2021 S.B. 220
Overview of Law: Entities would be required to: (1) inform the consumer that the information will be collected; (2) inform the consumer in writing of the specific purpose and length of time the information will be stored; and (3) receive written consent. Public and private enforcement; damages of $5,000 per violation.

New Jersey

Introduced on March 5, 2020, New Jersey Assembly Bill 3625 mirrors the requirements of BIPA and its predecessors by forbidding private entities from collecting or capturing biometric information unless they first: (1) inform the person in writing that a biometric identifier or biometric information is being collected or stored; (2) inform the person in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receive a written release executed by the person. This bill also requires businesses to develop a "written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information." Through the bill's private right of action, aggrieved parties could recover $1,000 for negligent violations or $5,000 for intentional or reckless violations.

Legislation: N.J. Assembly Bill 3625
Overview of Law: Entities would be required to (1) inform the consumer that the information will be collected; (2) inform the consumer in writing of the specific purpose and length of time the information will be stored; and (3) receive written consent. Private right of action; $1,000 for negligent violations or $5,000 for intentional or reckless violations.

New York

2021 NY A.B. 27 and 2021 NY S.B. 1933 seek to expand biometric regulation beyond New York City to the entire state of New York. If passed into law, entities conducting business in New York would be required to: (1) inform the person in writing that a biometric identifier or biometric information is being collected or stored; (2) inform the person in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receive a written release executed by the person. Private entities would also be required to delete such identifiers or information following completion of the purpose for which it was collected or within three years of the individual's last interaction with the private entity. Violations would be subject to suits by private individuals, with the customary $1,000 for negligent violations or $5,000 for intentional or reckless violations.

Of note, New York lawmakers have unsuccessfully proposed similar biometric privacy laws on three prior occasions. However, these latest bills were introduced with bipartisan support and may fare a stronger chance at being enacted. If passed into law, the law would take effect just 90 days later, giving entities conducting business within the state of New York a short amount of time to achieve compliance before incurring potential liability.

Legislation: 2021 NY A.B. 27, 2021 NY S.B. 1933
Overview of Law: Entities would be required to (1) inform the consumer that the information will be collected; (2) inform the consumer in writing of the specific purpose and length of time the information will be stored; and (3) receive written consent. Private right of action; $1,000 for negligent violations or $5,000 for intentional or reckless violations.

South Carolina

Introduced on January 12, 2021, South Carolina House Bill 3063 would require a business to inform consumers about the collection and use of biometric data either before or at the time of the collection of biometric information. This bill would also grant consumers the right to access, delete, and obtain a copy of their personal data. This bill requires that there be a clear a conspicuous notice to consumers about the business's complete practice governing the processing of their personally identifying biometric information. Through the bill's private right of action, aggrieved parties could recover $1,000 or actual damages, whichever is greater, for negligent violations, or $10,000 or actual damages, whichever is greater, for intentional or reckless violations.

Legislation: 2021 SC H.B. 3063
Overview of Law: Entities would be required to: (1) allow consumers to request that a business delete collected biometric information and prohibit the sale thereof; (2) follow state standards relating to the collection of biometric information; (3) allow consumers to opt out of the sale of biometric information; and (4) prohibit businesses from discrimination against individuals who opt out of the sale of their biometric information. Private right of action; $1,000 for negligent violations or $10,000 for intentional or willful violations.

Washington

Introduced on January 11, 2021, Washington Senate Bill 5104 regulates biometric privacy specifically in the field of facial recognition technology in any place of public resort, accommodation, assemblage, or amusement. The bill specifically prohibits the use of facial recognition technology to identify individuals based on their facial features or to analyze a person's sentiment, state of mind, or other propensities, including their level of dangerousness. The bill also prohibits information obtained through the use of facial recognition from being introduced as evidence at any trial, hearing, or other proceeding before a court. Through the bill's private right of action, aggrieved parties may recover actual damages or $1,000 for each violation, whichever is greater.

Legislation: 2021 WA S.B. 5104
Overview of Law: Entities would be prohibited from using facial recognition technology in any automated or semiautomated process used to identify a person's sentiment, state of mind, or propensities, and prohibited from the use of facial recognition technology as evidence in a trial. Public and private right of action; injured parties may actual damages or $1,000, whichever is greater.

FAILED LEGISLATIVE EFFORTS

Many states have also unsuccessfully attempted to pass their own legislation to regulate the collection, storage, and use of biometric information. Below is a list of some bills that have been introduced over the past few years which failed to ultimately make it into law.

  • Alaska, 2015 AK HB27: Died in Committee.
  • Arizona, 2020 AZ H.B. 2728: Died in Chamber.
  • Colorado, 2021 CO H.B. 1244: Postponed Indefinitely.
  • Delaware, 2018 DE HB350: Died in Committee.
  • Florida, 2018 FL S.B. 1270: Died in Committee.
  • Hawaii, 2021 HI S.B. 1009: Died in Committee.
  • Kentucky, 2021 KY S.B. 278 & 280: Died in Committee.
  • Maine, 2021 ME S.P. 535: Died Between Houses.
  • Maryland, 2021 MD H.B. 218: Withdrawn by Sponsor.
  • Maryland, 2021 MD S.B. 16: Died in Committee.
  • Mississippi, 2021 MS S.B. 2612: Died in Committee.
  • Montana, 2019 MT HB0645: Died in Committee.
  • New Hampshire, 2020 NH H.B. 1417: Died in Chamber.
  • Oklahoma, 2021 OK H.B. 1602: Died in Committee.
  • Virginia, 2020 VA H.B. 2307: Died in Chamber.
  • West Virginia, 2021 WV H.B. 2046: Died in Committee.
  • Wisconsin, 2019 WI S.B. 851: Failed to Pass Vote Out.

Lewis Brisbois has been on the cutting edge of BIPA litigation defense and established the country's first dedicated BIPA practice shortly after the Rosenbach decision. For more information about these developing laws across the nation, contact the authors of this alert. Visit our Illinois BIPA Practice page for more alerts on this topic.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.