Biometrics regulations are coming, firm warns as BIPA lawsuits pile up
Companies using biometrics should create policies and procedures for security, notice and consent, even if the law does not currently require them to do so, in anticipation of changes, law firm Thompson Hine advises.
The firm warns that “the regulations are coming!” and provides a review of the legal landscape in the U.S. at the state level.
In addition to established laws in Illinois, Texas, and Washington, Thompson Hine notes new legislation protecting biometric data has been enacted in Arkansas, California, and New York, with Washington adding data breach rules to its biometric regulation.
Laws have also been proposed in recent years, but not yet enacted, in Delaware, Alaska, Florida, Arizona, Hawaii, Oregon, Massachusetts, New Hampshire, New Jersey, and Rhode Island, which the firm says “demonstrates the trend among states to provide protections and regulate the collection of biometric data.”
Insurer Chubb has also identified state biometrics laws as a trending cyber risk in a new report, according to Insurance Journal. Illinois is the most prominent example, due to the right of private action the state’s BIPA provides, but other state regulators, as well as the federal government and international regulators are considering new restrictions.
Illinois, meanwhile, has passed a new Artificial Intelligence Video Interview Act, which regulates the use of AI facial analysis and similar technologies for evaluating candidates, a blog by law firm Davis Wright Tremaine LLP notes, saying it is the first state to do so. Eye On Privacy reports that the state has also amended its data breach notice law to require the Illinois Attorney General be informed of any data breach involving more than 500 state residents.
BIPA surge continues
Agricultural products company Agreliant Genetics is being sued under BIPA for allegedly failing to set out a retention schedule or receive written consent from workers for using fingerprint biometrics for employee time and attendance tracking, The Madison-St. Clair Record reports. The company did provide written notice to employees. The Record also reports Bria Health Services and Belleville Healthcare & Rehabilitation Center is being sued for allegedly using a fingerprint and hand geometry system without providing written information or collecting employee consent.
The Cook Country Record reports that R. A. Kerley Ink Engineers Inc. are facing a suit for allegedly missing the informed consent boat, as is Burger King, though the plaintiff in that case resides out of state. Gurtler Chemicals is likewise accused of failing to provide notice or collect consent, as is D&D Manufacturing Inc.. NEP Electronics Inc. is accused of not informing employees of its data retention plans for its time and attendance system, and CH Ventures LLC allegedly violated BIPA’s data storage information and consent requirements.
All of the above suits are proposed class actions, relating to employee time and attendance, with the alleged violations in each case relating to informed consent practices, rather than illegal breach or disclosure to a third party, or what defense attorneys and the U.S. Chamber of Commerce have previously characterized as “real-world harm.”