privacy laws
Image captions

The rapid adoption of biometric technologies in the workplace has introduced significant legal and privacy challenges. Illinois’ Biometric Information Privacy Act (BIPA) has set a precedent for biometric privacy regulation, sparking a wave of litigation and influencing similar laws in states like Texas, Washington, and California. With courts interpreting BIPA’s provisions broadly and new amendments reshaping liability, employers must navigate a complex landscape to ensure compliance. Learn how DataProbity can help your organization implement a robust biometric data governance framework to mitigate risks and stay ahead of evolving regulations.


Employers Beware of New Biometric Privacy Requirements

Illinois' Biometric Information Privacy Act (BIPA) has served as a critical testing ground for biometric privacy regulation since its enactment in 2008, offering valuable insights that continue to shape privacy legislation nationwide. The law’s journey from relative obscurity to becoming the centerpiece of privacy litigation has exposed both the strengths and challenges of biometric privacy regulation. The explosion of class action litigation beginning in 2018 revealed the powerful impact of including a private right of action, while subsequent court decisions, particularly Rosenbach v. Six Flags (2019) and Cothron v. White Castle (2023), demonstrated how statutory interpretation can dramatically affect corporate liability.

The 2024 amendment to BIPA, limiting damages to one recovery per person rather than per scan, highlights the ongoing struggle to balance meaningful privacy protections with practical business considerations. This amendment has significantly reduced the potential for astronomical damage awards, but it has not eliminated the risk of litigation. Employers must still ensure strict compliance with BIPA’s requirements, as technical violations can still result in substantial penalties. BIPA’s evolution has also underscored the importance of clear statutory definitions, as courts have grappled with interpreting terms like "biometric identifier" and "collect" in the context of rapidly advancing technology. The law’s impact on workplace practices, particularly regarding time and attendance systems, has fundamentally changed how businesses approach biometric data collection and management.

Key Provisions of BIPA
  • Requires informed written consent before collecting biometric data.
  • Mandates a public policy on retention and destruction schedules.
  • Prohibits the sale, lease, or trade of biometric data.
  • Establishes a private right of action with statutory damages.
  • Sets security standards requiring "reasonable care" for biometric data.
BIPA’s Private Right of Action and Litigation Trends

BIPA’s private right of action, which allows individuals to sue companies directly for violations, has been the catalyst for a wave of litigation. The law’s statutory damages structure - $1,000 per negligent violation and $5,000 per intentional or reckless violation - has made class actions an attractive vehicle for plaintiffs, leading to high-profile lawsuits against companies that were using fingerprint time clocks, facial recognition, and voice authentication.

One of the most significant rulings shaping BIPA litigation came in Rosenbach v. Six Flags, where the Illinois Supreme Court held that plaintiffs do not need to show actual harm to qualify as "aggrieved persons" under BIPA. This decision dramatically expanded the scope of lawsuits by allowing claims based solely on technical violations.

The stakes for businesses escalated further with Cothron v. White Castle, where the court ruled that each unauthorized biometric scan constitutes a separate violation, rather than treating a repeated biometric collection as a single offense. This interpretation meant that employers using biometric time clocks could face damages in the billions. The Illinois Legislature responded with an amendment in 2024, clarifying that violations should be counted per individual rather than per scan, mitigating astronomical damage assessments.

Evolving Categories of BIPA Class Actions
  • Fingerprint time clock systems.
  • Facial recognition in security cameras.
  • Voice authentication systems.
  • Hand geometry scanners.
  • AI-driven biometric analysis.
  • Retail “try-on” technologies (hairstyle, makeup).
  • Biometric authentication in mobile devices.
State-Level Biometric Privacy Laws

While Illinois pioneered biometric privacy laws, other states have followed with their own regulations, albeit with key differences in enforcement and scope. Texas, Washington, New York, Maryland, and California have all enacted biometric privacy laws, each with varying degrees of stringency.

Texas’ Capture or Use of Biometric Identifier Act (CUBI) shares many similarities with BIPA but limits enforcement to the state attorney general, thus barring private lawsuits. Washington State's House Bill 1493, enacted in May 2017, focuses on the collection and use of biometric data for commercial purposes. The law defines "biometric identifier" as data generated by automatic measurements of an individual's biological characteristics, such as fingerprints, voiceprints, eye retinas, irises, or other unique biological patterns used to identify a specific individual. Notably, it excludes physical or digital photographs, video or audio recordings, and data generated from them. Entities are prohibited from enrolling a biometric identifier in a database for a commercial purpose without first providing notice, obtaining consent, or offering a mechanism to prevent the subsequent use of the biometric identifier for a commercial purpose. The law also restricts the sale, lease, or disclosure of enrolled biometric identifiers, unless certain conditions are met.

State-Level Biometric Privacy Laws
  • Texas CUBI: Requires consent but no private lawsuits.
  • Washington HB 1493: Focuses on commercial biometric data use.
  • New York Biometric Privacy Act: Follows BIPA model but with additional security requirements.
  • Maryland Biometric Law: Combines elements of BIPA and Washington's law.
  • California CPRA: Treats biometric data as sensitive personal information.
  • Virginia VCDPA: Requires opt-in consent for biometric data.
The Future of Biometric Privacy Regulation

As biometric technology continues to evolve, so too will the legal landscape. Employers and businesses must proactively ensure compliance by implementing robust biometric data governance, obtaining explicit consent, and staying informed of legislative updates. The expansion of biometric privacy laws across the U.S. signals that regulatory scrutiny will only intensify, making compliance an essential component of business operations.

State-level biometric privacy regulations are evolving rapidly, and non-compliance can result in costly litigation and reputational damage. DataProbity has significant experience with, not only biometric frameworks, but also driving Privacy by Design into biometric products. We offer tailored solutions to help you implement biometric data governance strategies that meet regulatory requirements and protect employee privacy. Contact us today to develop a comprehensive biometric privacy strategy that safeguards your business and aligns with these evolving regulatory requirements.