How do you leverage this exciting technology in an uncertain and shifting legal landscape?
I don’t have a crystal ball, but if we look at the states with laws restricting biometric data and the proposals in states considering doing so, we can identify trends and principles that will help us plan for the coming biometric landscape.
Currently, only Illinois, Texas, and Washington have privacy laws regulating the collection and use of biometric data. While each state defines biometric data differently, there are similarities in the requirements for collecting and handling biometric data. Looking at the states currently considering biometric data bills, many apply the same broad principles as Illinois, Texas, and Washington. Here are the five general principles that emerge from my review of biometric proposals:
- Notice: Inform your members/employees that their biometric information is being collected, why it is being collected, and how it could be used.
- Consent: Get consent from your members/employees to collect and use their biometric information.
- Retention: Establish a schedule for how long you store member/employee biometric information
- Security: Ensure that you are providing a level of security for biometric information at least as, if not higher, than you provide for other confidential or personal information.
- Purpose: Articulate a rationale for collecting biometric data, and make sure that it is consistent with any applicable law. Are you trying to strengthen your club’s security? Provide more benefits to your members? You should know why collecting biometric data will improve your business.
These principles are in line with a broader shift in how society and regulators view data privacy. As highlighted in the May CBI The Data Privacy Priority, the advent of the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) have signaled a move toward greater transparency and consumer control over the collection and use of personal data. If you are collecting biometric data—or considering doing so—you should give serious thought to incorporating these principles into your business processes.
Some suggestions for how you could begin to operationalize these principles:
- Put it in writing: Create a written form that you can give to members/employees explaining your biometric data collection practices.
- Less is more: Only collect and store the biometric data you need. Minimizing collection reduces your risk.
- Get it in writing: Obtain written consent from members/employees authorizing the collection of their biometric data and keep the consent on file.
- Retention schedules: Create a retention schedule and guidelines for permanently destroying biometric information when there is no longer a business or legal need to retain it. Share the retention schedule with your members/employees. Also, be sure to consult your state’s record retention laws to ensure you are in compliance.
- Anonymize if possible: If possible, make the data anonymous, so it cannot be linked back to a specific individual. There are different ways to achieve this, depending on the technology you are using.
Taking steps now to bake-in the principles of notice, consent, retention, and security could pay real dividends by minimizing business disruption as new biometric laws come into force. For instance, Illinois’ Biometric Information Privacy Act (BIPA) contains a private right of action. This right of action means private companies found guilty of violating BIPA are liable to compensate plaintiffs:
- $1,000 or actual damages (whichever is greater) if found to be negligent,
- $5,000 or actual damages (whichever is greater) if found to have intentionally or recklessly violated the law.
In a recent ruling, Rosenbach v. Six Flags Entertainment, the Illinois Supreme Court determined that a company can be sued for violating BIPA, even if their collection of biometric information did not result in any harm to the plaintiff. In other words, if you collect biometric data in Illinois and you miss one box on the BIPA checklist, you are liable.