Biometric identification technologies, once the realm of science fiction movies, have now become ubiquitous for many Americans. Roughly 90 million Americans own iPhones [1], which for several years, have used fingerprint scans in lieu of passcodes, and the most recent iPhone X, unveiled in September 2017, uses facial mapping technologies to identify owners. [2] Smartphone technology is just one of many uses for biometrics. Biometrics are also used by retailers to track and analyze the shopper experience [3]. The use of biometric data for identification purposes is predicated on the idea that certain biological traits are unique to every individual, and thus difficult (but not impossible) to forge or replicate [4]. In the United States, consumers are becoming increasingly open to the idea of using biometric data for a variety of identification purposes [5]. The increased popularity of biometric data for personal identification raises questions about how these data are collected and used and the applicable statutory framework to protect individual privacy.
What is Biometric Data?
Biometrics are unique physical characteristics that can be used to identify individuals. [6] Common types of biometric data include fingerprints, voiceprints, facial recognition, and retina or iris scans, but more extreme examples include electrocardiographic rhythms and even body odor. [7]
Current Biometric Data Regulation
Currently, there are no federal statutes and only three state statutes regulating the collection and use of biometric data by private entities. In 2008, Illinois enacted the Biometric Information Privacy Act (“BIPA”). [8] This Act includes several critical consumer protections, including a requirement that businesses provide notice in writing and receive written consumer consent prior to the collection of data. [9] The stated purpose of the legislation was to design procedures to protect consumers’ sensitive personal information and reduce apprehension about using these new forms of data. [10] In 2009, Texas enacted a similar statute governing the collection and use of biometric data. [11]
During 2017, Alaska, Connecticut, Massachusetts, Montana, New Hampshire, and Washington all considered legislation protecting citizens’ biometric data; however, to date, only Washington’s legislation has been enacted. [12]
Application of the Current Regulatory Regime
Although BIPA is a state law, the statute has been extremely influential in shaping biometric privacy law nationwide. There are several high-profile class action BIPA suits currently in Federal Court, including a class action against Facebook, where plaintiffs used BIPA to challenge Facebook’s facial recognition tagging software. The California Northern District Court denied Facebook’s motion for summary judgment in May 2016, saying that despite Facebook’s contractual choice of law provision, which stipulates that all disputes be adjudicated under California state law, Illinois law would apply in this case because Illinois has a substantial interest in protecting its citizens’ biometric data. [13] Applying California law would significantly undermine this goal. [14]
Where Does Biometric Data Regulation Go from Here?
Although lawmakers have been slow to address the issue, the surge in biometric identification legislation considered in 2017 indicates that consumer privacy issues are being actively discussed by state lawmakers. While the need for regulation is clear, uncertainty is the biggest barrier to creating effective regulation. The recent development of biometric regulations means there are few precedents indicating how courts will interpret these statutes; however, pending litigations await key decisions in other cases before proceeding. In Facebook, parties agreed to stay the case until the Ninth Circuit ruled on Spokeo Inc. v. Robins. [15] In Spokeo, plaintiff Thomas Robins claimed that Spokeo, Inc., a personal information database, disseminated incorrect data about him, violating the Fair Credit Reporting Act (“FCRA”). The Supreme Court affirmed that Article III standing requires plaintiffs to articulate an injury that is both “concrete and particularized,” [16] and that procedural violations of a statute alone do not constitute a concrete harm. [17] The Supreme Court determined that the Ninth Circuit had established particularity, but remanded the case to Ninth Circuit for additional proceedings to determine whether the plaintiff’s harm was also concrete. [18] On remand, the Ninth Circuit held that the plaintiff demonstrated the elements necessary for Article III standing based on a two-part analysis. First, the Court determined the FRCA “procedures at issue in this case were crafted to protect consumers’ (like Robins’s) concrete interest in accurate credit reporting about themselves.” [19] Second, after evaluating “the nature of the specific alleged reporting inaccuracies to ensure that they raise a real risk of harm to the concrete interests that FCRA protects,” [20] the Court held Robins’s complaint alleged a concrete injury. [21]
The Spokeo standard has also been applied to a BIPA case. In Vigil v. Take-Two Interactive Software, Inc., [22] the plaintiffs allege that video-game creator Take-Two Interactive Software, Inc. violated several BIPA procedural provisions when it created facial scans of the plaintiffs for use in a video game, even though plaintiffs consented to having the facial scans made for use in the game and Take Two did not use the data for any purpose other than gaming. The Southern District of New York granted Take-Two’s motion to dismiss, relying heavily on the Supreme Court’s analysis in Spokeo. In its analysis of the alleged procedural violations, the Court says, “Even without fully compliant notice and consent, no concrete BIPA interest can be harmed so long as the private entity only uses the biometrics collected as both parties intended.” [23]
The factual nuances of these cases demonstrate the importance of precise statutory drafting as legislators at the state and federal levels contemplate enacting laws to regulate the collection of biometric data. The increased prevalence of biometric identifiers will undoubtedly fuel further legal challenges about methods of collecting biometric data for commercial purposes but the current BIPA cases will provide meaningful guidance for consumers, private entities and legislators about the best practices to protect against overly-invasive biometric data collection.
1 Adam Lella, U.S. iPhone Ownership Reaches All-Time High on Strength of iPhone 7, comSCORE (April 19, 2017).
2 David Pierce, Meet the iPhone X, Apple’s New High-End Handset, Wired (Sept. 12, 2017, 3:00 PM).
3 Ben Sobel, Facial Recognition Technology is Everywhere. It May Not Be Legal, Washington Post (June 11, 2015).
4 Andy Greenberg, , Wired, (Nov. 3, 2017; 7:00 AM).
5 The Future of Biometrics is Here: Are Consumers Willing to Adopt?, Javelin Strategy & Research (Aug. 25, 2016).
6 Biometrics, Merriam-Webster Dictionary (last visited Nov. 4, 2017).
7 Dan Moren, 7 Surprising Biometric Identification Methods, Popular Science (Dec. 30, 2014).
8 740 Ill. Comp. Stat. 14/1 et seq. (2008).
9 Id. 14/15(b).
10 Id. 14/5.
11 Tex. Bus. & Com. Code Ann. § 503.001 (West 2017).
12 Justin Kay and Brendan McHugh, The Next Steps for Biometrics Legislation Across the US, Law 360 (May 25, 2017, 11:55 AM).
13 In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016).
14 Id. at 1169-70.
15 Shayna Posses, Facebook Biometric Row Halted For 9th Circ. Call On Spokeo, Law 360 (Feb. 8, 2017, 5:28 PM).
16 Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1545 (2016).
17 Id. at 1549.
18 Id. at 1550.
19 Robins v. Spokeo, Inc., 867 F.3d 1108, 1115 (9th Cir. 2017).
20 Id. at 1116.
21 Id. at 1117.
22 Vigil v. Take-Two Interactive Software, Inc., 235 F. Supp. 3d 499, 517-18 (S.D.N.Y. 2017).
23 Id. at 514.