For the last couple of years, biometric data has been at the forefront of the legal battles about protecting consumer privacy. Consumers are beginning to understand how much biometric data is collected by businesses and government. Businesses are now routinely using fingerprints for time clock management and for building security purposes. Law enforcement and businesses routinely use facial recognition software for various purposes like anti-shoplifting and anti-theft efforts.
However, biometrics are not limited to these well-known examples. With omnipresent data collection and video surveillance, consumers can be identified by the way that they walk and move in public spaces (a so-called “gait-print”) and by the way that they type, scroll and mouse on various devices. Data points include the angle and manner in which a device is held, the speeds of swiping and scrolling, which fingers are used, whether and how the mouse wheel is used, etc. Retailers have even gone so far as to use surveillance cameras to create so-called “smart shelves” which can analyze in-store consumer behavior and facial expressions allowing the store to deliver real-time product-targeted advertising. See news report here.
However, privacy advocates have been fighting back. The California Consumer Privacy Act includes biometric data among the categories of protected consumer data. Washington State has recently enacted a similar statute. In 2008, Illinois enacted the Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/1 et seq., which mandated that prior-notice must be given and prior-consent be obtained before biometric identifiers can be collected and used. All of the biometric data protection statutes enacted so far also require that biometric data be protected by sufficient cybersecurity measures to prevent the data from being stolen or lost. The statutes also mandate various protocols with respect to how the data is deleted and destroyed.
The BIPA has, in particular, spawned a large number of lawsuits partly because the statute has a strict-liability aspect. The statutory penalties allowed under the BIPA do not require that the biometric data be lost or exfiltrated or misused or that the consumer be concretely injured in any way. Failure to provide the notice and failure to obtain consent is sufficient. Facebook, for example, was sued in California federal court in 2015. Facebook collected faceprints of its Illinois users without — allegedly — notice to them, without consent and without providing adequate cybersecurity measures to prevent theft of the information. However, there was no evidence of any actual harm to the plaintiffs. That is, the biometric identifiers were not stolen by hackers, were not shared with other businesses or anything else.
Facebook argued that, without such an injury, the case should be dismissed. The trial court disagreed and ruled that the BIPA did not require that the data be hacked or used or stored or deleted improperly. In late 2019, upon appeal, the US Ninth Circuit affirmed. The court concluded that the plaintiffs in the class action were, in fact, injured by the alleged collection, use, and storage of the faceprints. According to the court, the BIPA defined the injury as the collection of biometric data without notice and without consent and without the other protections required by the statute. As such, the Ninth Circuit affirmed that the class action should go forward to trial. Under the BIPA, each plaintiff is potentially entitled to statutory damages of $1,000 to $5,000 each. Facebook asked the US Supreme Court to review the decision, but was rebuffed.
As a result, Facebook has agreed to settle the case for $550 million. Motions are pending with the district court judge who will decide whether the proposed settlement is adequate. It is possible that the settlement will be rejected and that Facebook will have to increase its settlement offer or go to trial.
As can be seen, mishandling biometric identifiers is legally dangerous and can be expensive. Facebook may be able to afford a half a billion dollar settlement, but not many businesses can. Other lawsuits are already being filed. Google, for example, has just been served with a class-action lawsuit alleging it violated the BIPA.
If you have legal questions about consumer privacy, data security or other internet law related legal issues, contact the trusted internet lawyers at Revision Legal at 231-714-0100.