by Jennifer Chung (J.D. 2022)
Biometrics are a cutting-edge aspect of technology present in many people’s lives.[1] They measure an individual’s personal characteristics and are more commonly recognized as the fingerprint and facial recognition technology on the Apple iPhone, the fingerprint recognition technology on many laptops, and the facial recognition technology on social media platforms.[2] Many platforms and products use these human metrics to verify the user’s identity.[3] These unique characteristics are measured and matched in a database.[4] While this emerging technology provides convenience to many users, there are no federal laws to regulate biometrics or the databases in which biometric data is collected and stored.[5] As such, users are particularly at risk in the event of a data breach because these unique identifiers cannot be changed, unlike passwords.[6] Many states do not regulate biometric privacy, and an individual’s rights might vary from state to state.[7]
Only three states—Illinois, Washington, and Texas—have biometric information privacy statutes.[8] Other states, like California, have considered or will be enacting legislation on biometric information privacy.[9] Under the Illinois Biometric Information Privacy Act (“BIPA”), “The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”[10] Under the BIPA, any prevailing party may recover $1,000 in liquidated damages or actual damages, whichever is greater, if the offending party negligently violated a provision of the Act or $5,000 in liquidated damages, or actual damages, whichever is greater, if the offending party intentionally or recklessly violated a provision of the Act.[11] Illinois’ BIPA has led to legal suits, such as In re Facebook Biometric Information Privacy Litigation and Rivera v. Google.[12]
Facebook was a class action suit brought by three Facebook users who uploaded and shared photographs with friends.[13] Facebook’s “Tag Suggestion” program scans users’ photographs and identifies faces.[14] If the program recognizes a face, it will suggest that “individual’s name or automatically tag them.”[15] To make these tagging suggestions, Facebook uses facial recognition technology to extract biometric identifiers from photographs uploaded by users.[16] The plaintiffs in this case alleged that Facebook collected users’ biometric data without their consent.[17] Specifically, users were not informed in writing that their biometric information was being collected and stored nor did Facebook receive written releases from users, as required by Illinois BIPA.[18] In August 2019, the 9th Circuit held that the plaintiffs had Article III standing.[19] Facebook’s request for a rehearing en banc was denied, and the U.S. Supreme Court denied certiorari in January 2020.[20] The case was settled for $550 million, which has been the “largest all-cash privacy class action settlement to date.”[21]
Similarly, the plaintiffs in Rivera v. Google alleged that Google collected and stored their facial scans through Google Photos.[22] In this case, Google used facial recognition technology to group visually similar faces within users’ private accounts.[23] Google did not use the face templates it created for any purpose other than organizing photographs in users’ private Google Photos accounts.[24] However, in this case, the court granted Google’s motion for summary judgement and dismissed the plaintiffs’ claims because the plaintiffs did not suffer an injury sufficient for Article III standing and so the court lacked subject matter jurisdiction over plaintiffs’ claims.[25]
As illustrated in these examples, the prevalence of biometric data will become more ubiquitous as technology continues to evolve. Concerns about privacy and disclosure are ever-present with the increased use of sensitive biometric data. As such, it is important for consumers to understand how businesses use biometrics and it is important for businesses to understand how biometrics are regulated from state-to-state.
Editor’s note: An earlier version of this article mistakenly stated that the resolution of the Facebook case was pending. This article has been updated to correct the resolution of the case.
[1] Kim Porter, Biometrics and biometric data: What is it and is it secure?, NortonLifeLock Inc. (Nov. 24, 2019, 3:40 PM), https://us.norton.com/internetsecurity-iot-biometrics-how-do-they-work-are-they-safe.html [https://perma.cc/4CKE-QE5U].
[2] See id.
[3] Id.
[4] Id.
[5] Id.
[6] See id.
[7] Id.
[8] See Alan S. Wernick, Biometric Information – Permanent Personally Identifiable Information Risk, American Bar Association (July 2, 2019), https://www.americanbar.org/groups/business_law/publications/committee_newsletters/bcl/2019/201902/fa_8 [https://perma.cc/M4PL-6ZX9].
[9] Id.
[10] 740 Ill. Comp. Stat. 14/1–99 (2008).
[11] Id.
[12] Rivera v. Google, Inc., 366 F. Supp. 3d 998 (N.D. Ill. 2018); In re Facebook Biometric Info. Privacy Litig. (“Facebook”), 185 F. Supp. 3d 1155 (N.D. Cal. 2016).
[13] Facebook, 185 F. Supp. 3d. at 1158.
[14] Id.
[15] Id.
[16] Id.
[17] Id. at 1159.
[18] Id.
[19] Patel v. Facebook, Inc., 932 F.3d 1264, 1267 (9th Cir. 2019), en banc denied, No. 18-15982, 2019 U.S. App. LEXIS 31146 (9th Cir. Oct. 18, 2019), and cert. denied, No. 19-706, 2020 U.S. LEXIS 538 (Jan. 21, 2020).
[20] Id.
[21] Devin Coldewey, Facebook will pay $550 million to settle class action lawsuit over privacy violations, TechCrunch. (Jan. 29, 2020, 4:34 PM), https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/ [https://perma.cc/NBV2-VE6U].
[22] Rivera v. Google, Inc., 366 F. Supp. 3d 998, 1001 (N.D. Ill. 2018).
[23] Id. at 1002.
[24] Id.
[25] Id. at 1001, 1014.