“Biometrics” refers to technology that identifies individuals based on their physical characteristics or habits, such as their fingerprints or typing habits.

Biometrics has received mixed reviews. According to some, it helps protect personal information and increases security measures. According to others, biometric methods can be intrusive because they often utilize physical characteristics.

What Purposes are Biometric Systems Being Used For?

Biometric identification systems are commonly used when granting or denying access to secured areas or information. The technology is also commonly used for:

  • Immigration: confirming the identity and immigration status of a particular alien (the Secure Communities Program uses fingerprint technology to identify and deport certain classes of illegal aliens)
  • National security concerns: identifying potential terrorists
  • Various health service applications: for example, accessing records, maintaining medical files, storing pharmaceutical and medical histories, etc.

Biometrics can be used in various ways, though the technology is more common for everyday purposes such as commercial transactions (making purchases).

How Do Biometric Technologies Work?

Utilizing computer technology, biometric systems scan for characteristics that are unique to each individual. A person’s identifying characteristics can be divided into physical traits and personal traits.

Physical characteristics can be determined by scanning facial structure, fingerprints, eye structure, thermal emissions, chemical composition, and DNA. Personal habits can be analyzed by analyzing voice prints, keyboard strokes and typing habits, handwriting samples, and signatures.

It is important to distinguish physical readings from habit readings because the method employed can raise different legal issues. For example, DNA samples or eye scans are considered an invasion of privacy by many. In comparison, fewer people would probably consider handwriting analysis an invasion of privacy.

What Legal Issues are Related to the Use of Biometrics?

The biggest concern regarding the use of biometrics is the issue of violation of privacy. Most people subjected to a biometric scan or reading feel that such procedures are physically invasive, especially if they involve reading body parts.

Information security is another concern. Biometric data is often stored in a database that employers or government agencies can access. Concerns have been raised about the use of biometric data. Such data may include private information like medical histories and bank account numbers.

In the event of a legal issue regarding biometrics, it will be resolved using a traditional balancing test to determine privacy rights. An individual’s expectation of privacy will be weighed against the public’s need for such information. For instance, a court might analyze a person’s handwriting for national security reasons. The public is very concerned about national security, so a judge might decide that examining the handwriting is necessary to protect national security.

Which Laws Govern the Use of Biometrics?

Biometric technology is so new that very few laws specifically address its use and application. Many laws govern confidential information, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA). However, these are very general laws that deal with the overall confidentiality of a given sector. We should expect to see more specific laws as the use of biometrics grows.

Illinois’ Biometric Information Privacy Act

To protect biometric data from unauthorized collection and use, Illinois passed the Biometric Information Privacy Act (BIPA), the country’s first and most stringent consumer data privacy law protecting biometric data.

BIPA regulates the collection, processing, disclosure, and security of biometric information of Illinois residents. Biometric data differs from other personally identifiable information because it cannot be changed easily.

BIPA outlines stringent protocols on the capture, conversion, storage, or sharing of “biometric identifiers,” defined as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

BIPA has led to a flood of litigation in Illinois, including class actions. BIPA established a private right of action with liquidated statutory damages. In claims brought under the BIPA, plaintiffs may seek actual or liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation. The prevailing party may also obtain injunctive relief and attorney fee reimbursements. In 2021, Facebook settled a BIPA class action over its photo-tagging software, costing the social media company $650 million. Similarly, TikTok settled a class-action lawsuit for $92 million over its face detection in videos.

With this presumed injury without proof of actual damages, plaintiffs have chosen, as a principal target of BIPA class actions, employers who track their employees’ comings and goings using biometric scans – businesses that have replaced traditional punch clocks with fingerprint scanners. It is believed that replacing old-fashioned punch clocks, where employees insert cards into a device that timestamps when they arrive at work, would discourage “buddy punching.” Biometric scanners would, of course, deter workers from inserting the time cards of others to cover for their tardiness.

Employers who fail to obtain their employees’ informed consent frequently face employee class actions with potentially large exposures based on BIPA’s statutory damages. Businesses that track individuals’ privileges using biometric data for security and convenience, such as fitness clubs, have also been targeted.

Biometrics Data Privacy Protection Legislation Throughout the U.S.

Biometric data privacy protection legislation has been influenced by BIPA in states throughout the country. However, no other state (including the municipality of New York City) with biometric data privacy legislation has adopted BIPA’s broad private right of action. A Texas law passed in 2009, the Capture or Use Biometric Identifier Act (CUBI), does not contain a private right of action, allowing only the Texas Attorney General to pursue violations.

The fact that the attorney general can enforce a right of action on behalf of the public is a significant aspect of the emerging laws regarding the privacy of biometric data to which businesses should pay careful attention. The Texas Attorney General recently filed a lawsuit against Facebook for violating the CUBI, alleging that the social networking site harvested millions of facial biometric templates.

Washington’s Biometric Privacy Act (WBPA) does not have a private cause of action. A broad security exception is provided in WBPA, which exempts entities collecting biometric information for a “security purpose.”

Specifically, New York City’s biometrics ordinance pertains to “commercial establishments,” defined as “food and beverage establishments, entertainment venues, and retail stores” that collect, retain, convert, store, or share biometric identifier information from customers. The city ordinance requires regulated businesses to post clear, conspicuous notices near all customer entrances. However, the private right of action is subject to a 30-day notice-and-cure period. Damages can range from $500 to $5,000 per violation, along with attorney fees.

There is a private right of action under the California Consumer Privacy Act (CCPA), which applies to biometric data. In 2023, the CCPA will be strengthened with the California Privacy Rights Act (CPRA), which, among other things, creates an enforcement agency.

Currently, a private claim must be based on a business’s failure to implement and maintain reasonable security procedures that resulted in “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s nonencrypted or nonredacted personal information. Nonetheless, the debate over protecting biometric data as a special class of data warranting extra protection continues, as a bill has been introduced in the California Legislature, which would adopt an express private right of action similar to BIPA.

What If I Am an Employer or Organization that Wishes to Install a Biometrics System?

Any company that is considering using biometrics should:

  • Clearly state the purpose of the biometrics system in policies or company handbooks; make it possible for employees to voice their concerns or complain
  • Indicate whether the system is being used for identification or verification purposes
  • State whether the biometrics technology is required or optional (“compulsory” vs. “voluntary”)

Do I Need a Lawyer?

If you feel that a biometrics test has violated your rights, you should speak to an immigration attorney immediately. Your counselor will be able to talk to you about your privacy rights and whether there has been an invasion of privacy. In addition, if you wish to install biometrics systems at your business or workplace, you should consult a lawyer for legal advice on how to use the technology.