Expect Focus Life, Annuity, and Retirement Solutions, March 2019

Be Prepared for the Next Wave of Biometric Data Laws: Five Tips for Businesses

Cybersecurity and Privacy   |   Insurance   |   Life, Annuity, and Retirement Solutions   |   Technology   |   April 4, 2019

Advancements in technology have made it possible for more companies to use biometric data to streamline their business, improve security and workplace efficiency, and offer new services and features to customers. Biometric data broadly consists of any information that can be used to identify a person based on biometric identifiers, such as fingerprints, retina scans, and facial geometry. Real-world applications for this type of technology are endless, from smartphones activated by facial recognition, to employee time-management processes that rely on fingerprints in lieu of traditional punch-clock cards.

Although biometric technology offers myriad opportunities to streamline business processes and offer new services, that technology also carries with it increasing regulatory and litigation risk. Congress and state legislatures are considering new laws to regulate the collection and use of personal data, including biometric data. Currently, there is no federal law that regulates the collection and use of biometric data, but its use could implicate existing federal laws, including HIPAA and the Fair Credit Reporting Act, among others. Additionally, it is unknown whether and to what extent the various federal data privacy laws under consideration at the national level would regulate the use of biometric data or preempt state laws. Three states have enacted biometric data privacy laws: Illinois, Texas, and Washington. But the Illinois Biometric Information Privacy Act (BIPA) is the only one to provide for a private right of action, whereas the Texas and Washington statutes are enforced by the state attorneys general.

In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that a plaintiff suing under BIPA need not allege or show actual injury or an adverse effect to maintain an action for damages under the statute. This is important because BIPA allows for $1,000 or $5,000 in statutory damages per violation, depending on whether the violation was negligent, intentional, or reckless. As anticipated, the Rosenbach decision has already resulted in a sharp increase in class action lawsuits, many of which have been filed against employers for their use of biometric data in the workplace. Some companies have even altered their behavior as a result of this law. For example, Nest, the maker of smart thermostats and doorbells, reportedly deactivated a feature of its popular doorbells in Illinois, lest that feature draw the ire of plaintiffs’ attorneys.

States without biometric information regimes may still regulate under common law or privacy-related statutes, but a handful of other jurisdictions have proposed, or are currently considering, biometric data privacy legislation with varying requirements, including Alaska, Arizona, Connecticut, Delaware, Florida, Massachusetts, Montana, New Hampshire, and New York City. Some of these proposed statutes would include a private right of action like Illinois’ BIPA, while others would be enforced by the state’s attorney general. The new law introduced in Florida, HB 1153 and SB 1270, is patterned after Illinois’ BIPA and, as introduced, would allow for a private right of action. It would not permit businesses to “collect, capture, purchase, receive through trade, or otherwise obtain” biometric data without written notice and consent from the individual.

Given the extraterritorial reach of Illinois’ BIPA and the fact that other jurisdictions are likely to enact their own versions of it, companies would be wise to evaluate their practices and policies related to the collection and use of biometric data. Specifically, businesses should undertake the following:

1. Evaluate the extent to which the organization and its vendors collect and use biometric data from its employees and consumers. Review vendor agreements for indemnification and employee training provisions, if applicable.

2. Obtain written and informed consent from the employee or consumer before the collection and use of biometric data, setting forth the specific purpose and length for which the data will be used and held.

3. Develop a written policy to govern the collection and use of biometric data that sets forth the purposes and scope of the collection and use of the data, as well as the means for retaining and deleting the data after its life cycle.

4. Remember to update any outward-facing privacy policies to reflect any personal information being collected or processed as a result of new product lines or ventures, including biometric data.

5. Consider whether it is necessary to update the company’s data incident response plan to include biometric data as information that, if exposed, would trigger notice requirements. 


©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.