Biometrics lawsuits and privacy budgets forecast to balloon as bills, enforcement advance
U.S. states Maryland and Texas are continuing on their paths to stricter regulation of the collection and use of biometric data. Maryland’s state senate is debating a proposed a bill that draws inspiration from the nation’s most litigious statute for protection against unwanted biometric data collection, and legal analysts cited by Bloomberg Law see a wide fallout from Texas’ litigation against Meta for biometric data collection. Gartner predicts that privacy lawsuits against biometric companies will add up to $8 billion in fines and settlements by 2025, which will force companies to raise their privacy budgets in response.
Legal experts warn of spreading enforcement with Texas lawsuit against Meta
Texas’ lawsuit against Meta over facial recognition technology could pose a domino chain effect that impacts the biometric industry as a whole, says legal experts and analysts cited by Bloomberg Law.
A lawsuit filed by Texas Attorney General Ken Paxton against Facebook’s parent company alleges that Facebook illegally harvested millions of facial biometric templates on the social media site.
Legal experts cited by Bloomberg Law suggest that the potential harm extends far beyond Meta or Texas, with Melissa Krasnow, a partner at VLP Law Group in Minneapolis, saying, “This is a big statement given the heft of Texas and the heft of Meta, and it could embolden other state attorneys general to pursue investigations using their own deceptive trade practices laws. This is certainly a cautionary tale for other companies.”
Experts quoted in the report add that the Texas lawsuit could encourage other states to pursue legal action via deceptive trade practices laws, be an impetus for a “domino effect” that results in heightened scrutiny in Texas and Washington D.C., and affect companies with weak biometrics or security practices.
Texas may also inspire other states without biometric privacy legislation to take their own legal action by enacting statutes similar to Texas’ law, says Linn Freedman, a partner at Robinson & Cole LLP in Providence, Rhode Island. David Oberly, an attorney at Blank Rome LLP in Cincinnati, says disclosing information about sensitive data such as biometrics is a “crucial safeguard” for companies.
“Companies need to realize that they shouldn’t hold onto biometric data even if they don’t fall under the Texas law or other biometric laws,” Oberly comments.
Private right of action still in Maryland biometric data privacy bill
The Electronic Frontier Foundation (EFF) is defending a bill circulating Maryland’s State Senate, which the group argues protects against unwanted biometric data collection and empowers citizens against businesses.
A companion bill in the House, like Senate Bill 335 has advanced past a first reading to committee.
The EFF issued a news release that stated the group was “proud” to testify in support of SB 335, a bill that requires corporations to receive consent from users before they collect biometric data, and allows users to sue businesses that violate their biometric data privacy.
The private right to action – the right of a private entity to sue – has received pushback, but the EFF says they were encouraged to see two state senators defend what they call “the most important piece of this bill.” Citing Illinois’ Biometric Information Privacy Act (BIPA), which SB 335 is said to be based on, the EFF says removing the private right to action would weaken the bill. In its comparison of the BIPA to Texas’ privacy law, the EFF says Texas’ lack of a mechanism for citizens to sue corporations resulted in the lawsuit taking 12 years to bring its first enforcement action from the Texas Attorney General, and that it only follows the same ground as a lawsuit from Illinois in 2021 that was settled for $650 million.
“People should be able to choose which companies they trust with their information, especially information as sensitive and unique as biometrics. Companies should recognize the responsibilities inherent to the collection of biometric information. They also must be held accountable for actions that break that trust,” the EFF says.
Maryland passed biometric privacy laws in recent years, with a 2021 law that limits genealogy companies from participating in criminal investigations, except for serious violent crimes. In 2020, the state prohibited facial scanning during job interviews without the consent of the candidates.
Biometric privacy lawsuits and budgets to continue climbing
Technology consulting firm Gartner foresees privacy lawsuits and claims related to biometric information processing and cyber-physical systems totaling $8 billion in fines and settlements by 2025.
In a virtual conference held at the Gartner Security & Risk Management Summit, Bart Willemsen, research vice president at Gartner noted the increased capacity for biometric data collection through autonomous vehicles, drones, and smart cities, and the collision with privacy laws that cover the capture, conversion, storage and processing of biometric data, and possibly prohibit the selling, leasing, trading or profiting from biometric data.
Willemsen says, “In such cases, it is important that security and risk management leaders and privacy leaders consider alternative, less invasive means to achieve the intended purposes, explaining all necessary information to the customer without any caveat.”
With privacy facing such challenges, Gartner also predicts that large organizations will see their average budget for privacy pass $2.5 million by 2024 as part of a shift from compliance ethics to competitive differentiation.
The company says the rise in remote work, online activity, and virtual learning combined with increasing cyberthreats and privacy regulation will force the hand of organizations to jumpstart their privacy efforts.
Willemsen says privacy rights and consent management services will aid in this transition, which will increase trust with customers. Gartner recommends organizations enhance customer-centric activities like allowing customer experience professionals to address customer complaints on lack of transparency and by giving access to privacy rights to all global clientele.