Amazon Go Stores recently announced a new biometric technology making it even easier for customers to come, shop, and go at these retail outlets. See news report here. The technology involves palm geometry and blood vessel scanning. Like fingerprints, retinal patterns and face geometry, each person’s blood vessel configuration is unique and, once scanned and stored electronically, can be used to uniquely identify a person.

According to Amazon, the new blood vessel/palm scan will be used to simplify and speed payment processing. However, it is expected that the technology could be used for other purposes like verification of identity for airports, concerts, sporting events and as a replacement for workplace security like keys and swipe-cards. Amazon also touts the new biometric technology because it is touchless (unlike swipe-cards and fingerprints). This has obvious advantages for workplaces and venues continuing to deal with the COVID-19 pandemic. Amazon also touts blood vessel biometric identification as more secure than other biometrics because it is much more difficult to fake. Unlike face geometry — and even fingerprints — blood vessel configuration cannot be visually observed.

Legally, this opens up another battleground in the fight to protect consumer and individual privacy. There are already many statutes enacted in various states and localities that regulate various biometric information that can be used for personal identification. Some state statutes have already added vein/vessel configuration in the definition of biometric data. For example, the California Consumer Protection Act (“CCPA”) defines “biometric information” very broadly to include “physiological, biological or behavioral characteristics … that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.” Palm and vein patterns are specifically listed as an example. See Cal. Civ. Code, section 1798.140(b).

In general, like many similar statutes, the CCPA requires that a person give consent before any sort of biometric information is collected. Further, an individual must be given notice of the business purposes to which the information will be used and notice with respect to how and where the information is stored, with whom and under what conditions the information is shared, how long the information is stored, and how, when and in what manner the information might be destroyed. Finally, the CCPA mandates that individuals be allowed to “opt out” of having certain types of information collected about them. Other states also protect biometric information including:

• Texas
• Washington
• Arkansas
• New York

These statutes either explicitly mention blood vessel/vein patterns or have a catchall phrase like “other unique biological pattern or characteristic.”

Other statutes — like the Illinois Biometric Information Privacy Act (“BIPA”) — do not specifically mention blood vessel/vein configuration as a type of biometric data. See 740 ILCS 14/10. The BIPA defines a “biometric identifier” as an “iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” There is no general “catchall” word or phrase. The BIPA will have to be amended by the Legislature or by the courts to cover blood vessel/vein technology. This is very likely to happen.

Based on the news report, Amazon is already well aware of its need to obtain consent before taking and using blood vessel/palm scanning technology. However, the report did not indicate whether Amazon satisfied the various notice requirements and whether Amazon has acknowledged the enhanced cybersecurity requirements that come with collecting personally identifiable information.

Legal lessons: Businesses contemplating use of the new biometric technology should approach with caution and ensure compliance with ALL notice, consent and cybersecurity requirements.

If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.

Illinois BIPA: The Most Litigated Biometric Privacy Law

While the California CCPA and CPRA address biometric information as part of a broader privacy framework, the Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., is the most litigated biometric-specific statute in the country and provides the most aggressive private enforcement mechanism. BIPA requires that any private entity collecting biometric identifiers must: (1) inform the individual in writing that biometric data is being collected; (2) inform the individual of the specific purpose and length of collection; and (3) obtain a written release. Entities may not sell or profit from biometric data and must maintain a publicly available written retention schedule. BIPA’s private right of action authorizes statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees. The Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, that a plaintiff need not allege actual harm beyond the statutory violation itself to have standing under BIPA.

How BIPA Treats Vein and Vessel Patterns

The critical question for Amazon’s palm/vein scanning technology in Illinois is whether vein or blood vessel patterns fall within BIPA’s definition of “biometric identifier.” BIPA defines biometric identifiers to include “retinal or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Courts and practitioners have debated whether a vein/vessel scan constitutes a “scan of hand geometry.” Amazon’s palm scanning technology captures both palm geometry and blood vessel patterns—the palm geometry component is almost certainly covered by BIPA, while the vein pattern component requires a court’s interpretive ruling. The combination of BIPA’s coverage of hand geometry scans and the fact that the Amazon One device necessarily captures hand geometry as part of its palm-reading process means the technology is almost certainly subject to BIPA’s requirements regardless of the vein-pattern question.

Washington and Texas Biometric Privacy Laws

Texas’s Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code §§ 503.001–503.002, prohibits capturing a biometric identifier without informing the person and obtaining consent, but unlike BIPA, is enforced exclusively by the Texas Attorney General rather than through a private right of action. Washington has enacted multiple privacy statutes affecting biometric data, including the My Health MY Data Act (2023), which covers health data including physiological information that could encompass biometric data derived from health applications. Businesses operating in multiple states must track this patchwork of state laws carefully, as the compliance requirements differ meaningfully.

Employer Use of Biometric Timekeeping

One of the most common contexts for BIPA litigation is fingerprint-based timekeeping systems used by employers. Employees routinely clock in and out using fingerprint readers, and employers who deployed these systems without proper BIPA notice and consent have faced class action suits. The same analysis now applies to employers considering palm or vein scan timekeeping. Employers in Illinois must: provide written notice to employees describing the biometric collection; obtain written consent from each employee before first collection; and maintain a written policy governing the retention and destruction of the data. Failure to comply before collecting a single employee’s biometric data exposes the employer to per-employee, per-occurrence statutory damages.

Consult a Biometric Privacy Attorney

The legal framework governing biometric data is among the fastest-evolving areas of privacy law, with new state statutes, regulatory guidance, and court decisions issued regularly. If your business collects biometric information from customers or employees, or if you have been served with a BIPA class action complaint, the privacy attorneys at Revision Legal can help. Contact us at 231-714-0100.