Beyond BIPA: Mitigating biometric data legal risks under Texas and Washington biometrics laws
By David J. Oberly and Nicole D. Brenner*
Maybe your company is considering using retina scans for employee building access. Or maybe it is already using fingerprints for timekeeping. Both fall under the umbrella of biometrics—measurable human biological and behavioral characteristics used for identification and verification purposes. Companies across all industries continue to increase their reliance on biometric data, which offers a myriad of benefits—including added convenience, increased efficiency, strengthened security, and consumer experience enhancements, just to name a few.
Importantly, however, unlike other forms of personal information, once biometric data is compromised, individuals have no recourse and are at a significantly heightened risk for identify theft. Likewise, the threats posed by collecting, processing, and storing biometric data without being fully compliant with the law are equally severe.
Consequently, before employing any type of biometrics solution, companies should understand the current legal landscape and associated risks to effectively mitigate potential liability. Further—and with a solid understanding of the lay of the land in hand—companies should thereafter enhance their current privacy compliance programs to ensure ongoing, continued compliance with today’s patchwork of laws governing the collection and use of biometric data.
Legal Landscape Overview
While there is no federal statute specifically regulating the use of biometrics, Illinois, Texas, and Washington have each enacted their own biometric privacy laws. Given the ever-increasing frequency of Illinois Biometric Information Privacy Act (“BIPA”) class action filings, much ink has been spilled imploring the critical importance of maintaining strict compliance with BIPA’s stringent requirements. Much less has been said, however, about how companies can best mitigate the applicable legal risks and liability exposure under the Texas’s Capture or Use of Biometric Identifier Act (“CUBI”) and Washington’s HB 1493 biometric privacy statute.
While CUBI and HB 1493 achieve the same objectives as BIPA of enhancing the level of privacy and security over biometric data through the imposition of requirements and restrictions over its collection and use, there are several major differences (discussed below) which separate CUBI and HB 1493 from Illinois’s biometrics statute.
Evaluating the Differences Between BIPA, CUBI & HB 1493
Illinois’ BIPA is unique and stands apart from its Texas and Washington counterparts because it is the only biometric privacy law in effect today that includes a private right of action as its main enforcement mechanism. Moreover, mere technical violations of BIPA are sufficient, by themselves, for individuals to pursue class action claims under the statute. This has led to a tsunami of class action litigation that has continued apace for well over two years now—with no sign of slowing down moving forward.
While the biometrics laws of Texas and Washington model BIPA in many ways, companies should understand that there are important differences.
For example—and unlike both BIPA and HB 1493—CUBI does not permit companies to disclose or disseminate biometric data merely by obtaining an individual’s consent. Instead, CUBI only allows for disclosures under four extremely narrow sets of circumstances. At the same time, while BIPA’s publicly-available privacy policy requirement remains one of the most commonly-asserted claims in class action litigation today, CUBI does not require any type of privacy disclosure regarding organizational biometric data practices.
Washington’s statute also has several unique wrinkles not found in BIPA or CUBI. Most importantly, HB 1493 is focused on the “enrollment” of biometric data, as opposed to the mere collection or capture or such data. Under the Washington statute, “enroll” means “to capture a biometric identifier of an individual, convert it into a reference template that cannot be reconstructed into the original output image, and store it in a database that matches the biometric identifier to a specific individual.” Thus, under HB 1493 biometric data that has been captured—but not converted such that it can be used to identify or verify individuals’ identities—falls outside the scope of the statute. Beyond the issue of enrollment, HB 1493 also departs from BIPA and CUBI because it does not include face geometry within its definition of biometric identifier (or any other part of the statute’s text for that matter), thus ostensibly excluding facial recognition from regulation under HB 1493.
Recent Key Developments
As mentioned above, unlike BIPA, CUBI and HB 1493 do not contain a private right of action. Consumers, therefore, do not have the ability to bring class action claims for purported violations of the Texas and Washington laws.
With that said, recent CUBI litigation instituted in February 2022—State of Texas v. Meta Platforms, Inc. f/k/a Facebook, Inc.—highlights the potentially severe ramifications of legal non-compliance when leveraging the benefits of biometric data in states other than Illinois. In that case, the Texas AG alleges that Meta Platforms (which at the time operated under the Facebook name) illegally captured and thereafter used the face geometry data of millions of Texans in connection with the company’s now-defunct “tag suggestions” feature without first providing notice or obtaining consent. In addition, the suit also alleges that Meta violated CUBI by failing to permanently destroy users’ biometric data within a reasonable time.
Of note, the Meta lawsuit spotlights the concerted effort litigants will likely take in future disputes in attempting to persuade courts to interpret the CUBI term “commercial purpose” in an extremely broad fashion—which, if successful, would significantly expand the scope of liability exposure under Texas’s biometric privacy statute. In the Meta complaint, the Texas AG takes the position that even the company’s internal use of biometric data to train its algorithms and improve its product features constitutes a “commercial purpose” under CUBI; similar attempts to expand the contours of Illinois’s biometric privacy statute have also been seen in BIPA class action litigation as well.
To further complicate matters, other jurisdictions have also followed the lead of Illinois, Texas, and Washington by legislating certain aspects of biometrics. For example, in 2021 New York City enacted legislation imposing restrictions on the collection and use of biometric data applicable to “commercial establishments.” Looking beyond 2022, it is anticipated that many state and municipal lawmakers will propose targeted legislation similar to BIPA, CUBI, and HB 1493 during the 2023 legislative cycle.
Practical Compliance Tips
This all leads to the question: what should companies do to ensure compliance with current and future biometrics laws? Businesses are well-advised to evaluate their current use of biometric data and implement comprehensive biometric privacy compliance programs to ensure flexible, adaptable compliance with the law. Critically, even those companies that do not operate in Illinois, Texas, or Washington should nonetheless still be cognizant of the current and expanding legal/liability risks. While these three states have paved the way, other legislatures will soon follow suit. In particular, companies should consider the following:
- Written Notice & Consent: Both Texas and Washington require companies to provide notice and obtain consent, but neither statute mandates any type of written notice or consent requirement. Conversely, BIPA requires both notice and consent to be in writing. While CUBI and HB 1493 offer more flexibility in satisfying these requirements vis-à-vis BIPA, companies should nevertheless provide notice and obtain consent in writing whenever feasible.
- Minimize Retention of Biometric Data: All three laws also require companies to retain biometric data for a limited period of time and delete that data at certain defined junctures. As a rule of thumb, companies should permanently destroy biometric data when it is no longer needed for the initial purpose for which it was originally collected.
- Maintain a Biometrics-Specific Privacy Policy: Neither CUBI nor HB 1493 require companies to maintain a biometrics-focused privacy disclosure of any kind. With that said, to promote transparency companies should nonetheless maintain a written, publicly-available privacy policy addressing its biometric data collection, use, retention, and destruction practices and protocols—even if not required by law. In so doing, companies should focus on offering detailed information to individuals as to why and how the company is using their sensitive biometric data so that they can make informed decisions whether to give consent to the organization’s use and storage of their biometrics.
- Employ Reasonable Security Measures to Safeguard Biometric Data: All three laws require companies to maintain reasonable security measures to safeguard biometric data from unauthorized access, disclosure, or acquisition. Two security protocols that all companies should consider implementing whenever feasible are encryption and multi-factor authentication (“MFA”), both of which are extremely effective in safeguarding all types of sensitive personal information. At the same time, only those individuals with a business need for biometric data should be afforded access to such data.
- Strictly Prohibit Sales & Profiting From Biometric Data: Finally, companies should ensure they maintain a strict policy barring the company, as well as its employees and vendors, from engaging in any sales of biometric data or otherwise profiting from individuals’ biometric data.
The Final Word
The commercial collection and use of biometric data has skyrocketed in recent years. At the same time, lawmakers have greatly increased their efforts to put in place stringent laws regulating this same data. Businesses should remain cognizant about the relevant biometric privacy liability risks when employing biometric technologies. Implementing an effective compliance program will help mitigate potential legal risks and ensure that companies maintain compliance with the law—not just now, but as additional laws governing biometric data are enacted moving forward as well.
About the Authors
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at david.oberly@squirepb.com.
*SPB Summer Associate Nicole Brenner also contributed to this article.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | Biometric Information Privacy Act (BIPA) | biometrics | CUBI | data collection | data protection | data storage | David Oberly | legislation | privacy
Comments