Biometric privacy 2022 year-in-review
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
2022 was another banner year for biometric privacy, with a number of high-profile developments taking place in this space, the most notable being the first Illinois Biometric Information Privacy Act (“BIPA”) jury verdict in Rogers v. BNSF Ry. Co., No. 19 CV 3083 (N.D. Ill.). In addition, class action filings continued apace, several decisions on key BIPA issues extended the boundaries of liability exposure for non-compliance even further, and a number of eight- and nine-figure class action settlements pushed the already-inflated value of BIPA claims even higher.
At the same time, state and municipal lawmakers in other parts of the country unsuccessfully attempted to install greater controls over the collection and use of biometric data, and are likely to continue these pursuits during the 2023 legislative session. At the federal level, lawmakers also introduced legislation that would have governed biometrics practices in a uniform fashion across all 50 states, while the Federal Trade Commission (“FTC”) commenced its own rulemaking activities which (among other things) focuses on evaluating the need for more stringent regulation over biometric technologies by the country’s de facto federal privacy regulator.
Taken together, these major 2022 developments will make managing legal risks and mitigating class action liability exposure an even more complex, difficult task for companies that utilize biometrics in their operations in 2023 as compared to years past.
First BIPA trial results in resounding win for plaintiff
On October 12, 2022, the world of biometric privacy litigation experienced a development noteworthy enough to put it on equal footing with Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186 (Ill. 2019)—which held actual injury is not required to pursue BIPA claims—with a jury finding in favor of a class of Illinois truck drivers in the first BIPA class action to be tried to verdict in Rogers v. BNSF Ry. Co. After closing arguments, the jury needed less than an hour to return its verdict in favor of the class of truck drivers, which awarded $428 million in statutory damages.
The potential implications of Rogers cannot be overstated. For starters, the fact that a jury needed under an hour to reach its verdict indicates that it was not even a close call in the jurors’ eyes as to whether the conduct at issue violated BIPA. In addition, the jury’s ultimate finding against the defendant—despite the fact that the railroad did not itself actively collect, use, or possess any biometric data—provides further support for the critical but unsettled issue of vicarious liability in BIPA class action disputes.
Significant BIPA settlements
2022 also saw a number of sizeable BIPA settlements, which will serve to further increase the already-inflated value of BIPA claims in 2023.
In August 2022, Snap, the parent company of photo-sharing platform Snapchat, reached a $35 million settlement to resolve ongoing litigation which alleged that the company improperly collected biometric data in violation of BIPA through its Lenses feature (which allows users to add special effects to their Snapchat images) and its Filters feature (which allows users to overlay images onto a pre-existing image framework). The case is Boone v. Snap Inc., No. 2022 LA 708 (Ill. Cir. Ct. DuPage Cnty.).
In the same month, an Illinois federal district court granted final approval for the $92 million BIPA settlement involving another popular social media platform, TikTok. In addition to the settlement’s monetary component, the terms agreed to by TikTok also encompassed broad injunctive relief, including commitments by TikTok to place limitations on the storage and transmission of data outside the U.S., the deletion of certain user-generated content, implementation of an annual privacy employee training program, and a three-year privacy auditing period. The case is In re: TikTok, Inc., Consumer Priv. Litig., No. 20 CV 4699 (N.D. Ill.).
A month later, Google finalized its $100 million settlement to resolve alleged BIPA violations relating to its Google Photos service, which purportedly collected millions of face templates from users in violation of Illinois’s biometric privacy statute. The Google settlement also includes a prospective relief component requiring the company to provide notice to all users, obtain users’ affirmative consent, and develop, publish, and abide by a retention policy requiring the deletion of all face templates associated with a user’s account within a reasonable period of time after certain actions are taken by the user, such as deactivating the “face grouping” feature in the company’s photos app. The case is Rivera v. Google LLC, No. 2019 CH 990 (Ill. Cir. Ct. Cook Cnty.).
These developments illustrate that high settlement awards are becoming the norm, and not the exception, in BIPA class actions. At the same time, recent settlements indicate that in addition to sizeable monetary penalties, companies that are alleged to have violated BIPA may also be required to make modifications to their compliance programs as well in order to resolve biometric privacy class action disputes.
More states introduce (unsuccessful) biometric privacy legislation
Continuing the trend that has existed for several years now, lawmakers across the country introduced a number of legislative proposals aiming to place greater controls over the collection and use of biometric data. While none of these bills successfully made their way into law in 2022, it was not for a lack of effort on the part of lawmakers.
In 2022, the most straightforward method lawmakers used in their attempt to enact greater regulation over the commercial use of biometrics was through broad biometric privacy bills that targeted the use of all forms of biometric data, similar to BIPA, Texas’s Capture or Use of Biometric Identifier Act (“CUBI”), and Washington’s “HB 1493” biometrics statute. Other states, however, attempted to enact legislation that departed significantly from the BIPA blueprint. While both types of legislation would have generated broad liability exposure similar to that of the Illinois law, the new “hybrid” biometric privacy bills introduced during the 2022 legislative cycle—which blended traditional biometric privacy legal principles with those normally confined to more comprehensive consumer privacy laws—would have also required wholesale modifications to companies’ existing biometric privacy compliance programs due to the range of unique provisions in these pieces of legislation.
Other lawmakers took a more focused approach to their legislation. Instead of seeking to regulate all types of biometric data, these bills singled out specific types of biometric technologies—and facial recognition in particular. The targeted facial biometrics bills introduced in 2022 were a continuation of the trend that began in late 2020, when Portland, Oregon became the first jurisdiction in the nation to enact a blanket ban over the use of facial recognition by the private sector.
Ultimately, while none of the bills introduced this year made their way into law in 2022, the high volume of legislative proposals signal lawmakers’ intention to continue their efforts to bring these bills to fruition in 2023.
Federal privacy bill regulating biometric data introduced
At the federal level, lawmakers on Capitol Hill introduced the American Data Privacy and Protection Act (“ADPPA”), which would have regulated biometric data in a uniform fashion across all 50 states. Of note, the ADPPA would have narrowly limited the collection and use of biometric data to only those instances where such activities were strictly necessary to provide a specific product or service requested by the subject of the biometric data, or under one of ten narrowly-tailored “permitted purposes” set forth in the statute, such as complying with a legal obligation. The federal privacy bill would have also restricted companies from disclosing, releasing, sharing, disseminating, or otherwise making biometric data available to third parties unless the transfer was necessary to facilitate data security or verifying/authenticating individuals’ identities.
Importantly, while the ADPPA would have generally preempted any state laws that are “covered by the provisions” of the statute or its regulations, the bill did not preempt all state privacy laws, providing carve outs for BIPA and other laws that solely addressed facial recognition or related technologies. Together, the ADPPA would have added significant complexity to the legal landscape had it made its way into law, providing regulation over biometric data in those jurisdictions where none currently exists, while at the same time keeping in place today’s current biometrics-related laws and regulations, each with their own unique nuances.
FTC aims for greater regulation over biometric technologies
In August 2022, the FTC commenced its efforts to implement new agency rules focused on privacy and data security with the issuance of its Commercial Surveillance and Data Security Advanced Notice of Proposed Rulemaking (“ANPR”), seeking public comment on whether new trade regulation rules are needed to protect people’s privacy and information. The ANPR is broad and far-reaching, seeking comment on 95 questions relating to harms stemming from commercial surveillance and lax data security practices.
From a general perspective, the ANPR provides key insights on the specific practices and associated harms viewed by the FTC as most concerning and potentially in need of greater enforcement. As noted in the ANPR, the FTC seeks to create a “public record about prevalent commercial surveillance practices” that are deceptive or unfair, which will “help to sharpen” the Commission’s enforcement activity—even in the event the ANPR does not result in the promulgation of new trade regulation rules. In addition, the ANPR also offers a useful guide on the Commission’s recent privacy and security enforcement activities, while also providing a synopsis of notable recent FTC enforcement actions and the Commission’s policy work in the area of facial recognition.
Importantly, the ANPR focuses directly on whether the Commission should consider limiting commercial surveillance practices that involve the use of facial recognition, fingerprinting, and other biometric technologies—and if so, how that should be done. Moreover— beyond the ANPR—the FTC has also recently reiterated its intent on several occasions to increase its efforts in policing the misuse of improper facial recognition practices through investigations and, when necessary, enforcement actions.
As has been the case in years past, 2022 involved many noteworthy developments in the area of biometric privacy that have not only increased the complexity of complying with the law when using biometrics, but which have also expanded the scope of liability exposure for non-compliance with the ever-increasing patchwork of biometric privacy laws as well.
As we head into 2023, companies can be certain that the coming year will feature greater litigation risks, as well as the potential for the enactment of new biometric privacy statutes and ordinances—which together will make the task of staying compliant with the law while using biometrics even more challenging.
Together, in addition to maintaining compliance with today’s current body of biometric privacy regulation, companies should also ensure they have in place flexible biometric privacy compliance programs that can be easily modified and expanded to rapidly adapt to the many new changes in the area of biometric privacy that are sure to be seen throughout 2023.
About the author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and a member of the firm’s global Data Privacy, Cybersecurity & Digital Assets practice. David’s practice focuses on counseling and advising clients on a wide range of biometric privacy, artificial intelligence, and data privacy/security compliance and risk management matters. He can be reached at firstname.lastname@example.org.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.