The increased use of biotech and the biometric privacy concerns entangled with its use creates a legal minefield that businesses must prepare to navigate.
Meta — the parent company of Facebook, Instagram and other social media giants — recently settled a biometric privacy lawsuit with Texas and has agreed to pay $1.4 billion to impacted individuals.
A slew of other biometric class action lawsuits has attorneys of large corporations on edge.
Illinois became the first state to enact a law protecting biometric privacy in 2008.
Since then, Texas and Washington have passed similar legislation. Several states have failed to pass biometric privacy law, including Missouri.
The laws governing biometric privacy differ from most other comprehensive privacy laws across the nation, according to Mitch Martin, of counsel with Spencer Fane.
Many of those comprehensive privacy laws govern private data — like cookies, web tracking and social security numbers — more broadly, while biometric privacy concerns the use of biological information like facial recognition, retinal scans and fingerprints, Martin said.
At issue in the landmark Meta settlement was Facebook’s use of this technology and how most users weren’t aware the company was tracking their information. That violated Texas’ biometric privacy law and led to the $1.4 billion settlement.
This historic Texas settlement is just one of many “eye-popping” settlements relating to bio-privacy in recent years, Martin wrote in a recent essay on the topic co-authored with partner Jeremy Rucker.
“The likes of Google, TikTok, Meta and even Walmart have not been immune. In 2020, then Facebook settled for $650 million and TikTok for $92 million in litigation alleging misuse of facial recognition technology,” Martin wrote. “In 2021, Walmart reached a $10 million settlement for the company’s alleged misuse of palm scanners to check employees in and out of cash registers. More recently, Google reached a $100 million settlement based on its alleged misuse of facial recognition technology.”
The most “infamous and punitive” of the statutes governing this area of law is the Illinois BIPA law, Martin wrote.
“Illinois has taken just a really aggressive stance towards this and has said we’re going to apply statutory damages of $1,000 per violation is what they did in the past — that’s for negligent violations and $5,000 for intentional or reckless violations,” Martin told Missouri Lawyers Media. “What you were seeing was damages of potentially billions of dollars.”
Last month, Illinois Governor J.B. Pritzker amended the law after ongoing calls for reform, Martin pointed out. The amended law now limits statutory damages to $1,000 or $5,000 per person as opposed to $1,000 or $5,000 per violation, he said.
This has made businesses incredibly wary of doing business in Illinois and it has also shown that biometric privacy is sacrosanct and must be protected, Martin said. While privacy leaks on social security numbers and of bank account information can eventually be remedied, biological information cannot be. One can’t get a new face, or fingerprint or voice.
Lauren J. Caisman, a partner with BCLP, has defended companies from numerous class-action lawsuits under BIPA. Caisman told Missouri Lawyers Media she first became involved in this area of the law around 2017-2018 when there was a sudden “tidal wave of litigation” filed under the Illinois law.
The number of lawsuits under the law have ebbed and flowed over the years, but Caisman said she is still surprised by how constant new filings are.
“We’re sort of six years into heavy BIPA litigationand obviously the arguments either side are focusing on have changed as more case law comes down,” Caisman said. “A lot of arguments now are focused on damages, not necessarily procedural issues, standing, statute of limitations, lot of those issues.”
There also have been different waves of who is being targeted by these class-action lawsuits, Caisman said. These suits first took aim at video game and social media companies, then employers with large numbers of hourly employees who used biometrics (such as fingerprints) to clock-in. Now Caisman said she is observing these suits in the crypto space and dating apps that are mostly consumer driven.
While Missouri doesn’t have a law similar to Illinois’ BIPA, businesses of any size that work with Illinois residents or businesses across the river should become familiar with the law as it will still impact them, Martin said.
“Businesses of any size need to be concerned about this and particularly in Illinois […] businesses or other states that reach into Illinois and are doing business with Illinois residents or consumers,” Martin said. “This private right of action under BIPA has incentivized plaintiff’s attorneys [to look] for any possible target.”
That should concern small and mid-sized businesses who might not otherwise be concerned about class-action lawsuits, Martin said.
“Most of the really large targets that could be sued under BIPA already have [been] and so there has been a definite uptick in lawsuits against small and medium-sized businesses because they’re not immune from this Illinois statute in any way,” Martin said. “If there’s insurance coverage out there, the plaintiffs, the tenants, don’t care that it’s a small business they can get an insurance policy on the hook and potentially get millions of dollars in insurance coverage to pay out a claim.”
Additionally, these types of lawsuits are not limited to a particular industry and impact every type of business, Martin said.
“If you are a business in Missouri who regularly interacts with Illinois residents and you use, for example, a fingerprint scanner to log them in and out, you need to reach out to an attorney,” Martin said. “It’s really important that if there’s a business that in some way is gathering biometric information, that they seek an attorney on the front end before they start doing it, because there is no way to cure this. And what I mean by cure is, if you have committed a violation, stopping what you’ve already done is good. It’s what you should do, you should stop immediately. But if you’ve already violated BIPA it’s too late, because if the plaintiff’s attorney finds out they’re going to sue you and it could literally bankrupt you.”
Caisman has defended Missouri employers whose employees live across state lines, she said.
“BIPA is not supposed to be extraterritorial; it is only supposed to apply in Illinois,” she said. Companies and lawyers must be cognizant about the data they have, the data they are collecting, what is being done with this, how it is being protected and even what data they could possibly be construed as collecting.
“If you’ve got consumers or employees or independent contractors, quite frankly, in the state of Illinois, or collections being done in the state of Illinois, or your servers are located in Illinois, I think you just got to be really careful to know what’s being done with the information,” Caisman said.
The future
While there are currently no federal statutes that function as a comprehensive biometric privacy law, Tedrick A. Housh, a partner at Lathrop GPM, is looking towards the future.
The use of biometrics is inextricably linked with artificial intelligence, Housh said.
“If you look at the use of facial recognition and other artificial intelligence — generative AI — we’re immersed in it right now. Almost every business is looking at ways to utilize AI, which would include the analysis of biometrics to improve efficiencies and improve their business, be it in recruiting, in performance evaluation of employees and coaching, workplace safety and almost anything you can imagine that involves human behavior we’re starting to involve artificial intelligence and generative AI,” Housh said.
It’s hard to say how, or even when, the U.S. will regulate the use of these technologies, but lawyers must remain vigilant, he said.
“I just don’t think we quite know how all that’s going to play out, which means, as attorneys and Missouri attorneys, and employers and otherwise, as citizens, I think we just need to be keeping our eye on this and thinking about both the intended and unintended consequences of our embrace of these technologies,” Housh said.