Biometric law is coming into the spotlight these days as the technology gets more attention from courts. The most prominent example of that — and a place where early case law precedent is taking shape — is in Illinois.
Case law and precedent around biometric authentication, ID and data storage is still a work in progress, to put it mildly
But that doesn’t mean the situation, at least for now, isn’t confusing and even contradictory when it comes to biometric law. At issue are questions of harm and standing when it comes to the Illinois law — and two recent decisions have offered differing resolutions to those questions.
Illinois’ Biometric Information Privacy Act, or BIPA, prohibits companies from using biometrics without user consent. The law may be on its way to being imitated by other states. One example is in Florida, where a BIPA-like law is under consideration by the state legislature.
Since being enacted in 2008, the law has sparked an estimated 200 court actions, including class action lawsuits, and has lately been the focus of two relatively well-known legal tussles involving Google and Six Flags. And it’s those two cases that are causing a big part of the current confusion when it comes to the use and storage of biometric authentication data.
Biometric law cases gain big targets
First, a quick review.
In early January, the Illinois Supreme Court ruled that a case in which a parent of a teenager sued Six Flags for alleged BIPA violations could continue. The teen in 2004 submitted his fingerprint data to the amusement park when buying a season pass. The law requires that a private business give proper notice and gain proper consent when obtaining biometric data (and refrain from selling or leasing it except under certain conditions). The suit argues that collecting the teen’s thumbprint violated the law, though Six Flags countered that no actual harm was done. The case has been remanded to a lower state court.
In the case involving Google, a U.S. federal judge in January tossed a suit brought against the online giant under the same state biometrics law. The suit argued that Google’s practice of collecting and storing biometric data via photographs and facial recognition software was a BIPA violation. In dismissing the suit, the federal judge said there were no “concrete injuries” that stemmed from Google’s practice. In other words, those who brought the suit had no standing, at least according to the judge.
Biometric law cases hit a knot
And that’s the knot when it comes to the Illinois Biometric Privacy Act. The two recent decisions — one from a state court, the other from a federal judge — raise questions of what exactly constitutes standing when it comes to biometric data and storage, and the state laws governing those activities.
According to a recent legal analysis of the cases from Morrison Foerster, the Six Flags case might deserve closer consideration at this point — or, perhaps, is cause for more anxiety among the biometrics industry and biometric data users — than the Google case.
“Even though the plaintiff did not allege any disclosure of the data or other actual harm,” that analysis reads, “the court sided firmly with the plaintiff on the issue of standing, stating: ‘To require individuals to wait until they have sustained some compensable injury beyond violation of their statutory rights before they may seek recourse, as defendants urge, would be completely antithetical to the Act’s preventative and deterrent purposes.’”
And that’s hardly the entirety of it.
The Morrison Foerster analysis (which serves as a client alert) goes on to say that “regardless of whether federal courts manage to separate the issue of standing from substantive issues under BIPA itself, the clear position taken in Six Flags means that no court, federal or state, will be able to ignore it. In addition, in future cases, concerns about security and/or personhood are likely to become more pronounced, which may also pave the way for more and more courts to follow the ruling in Six Flags.”
Case law and precedent around biometric authentication, ID and data storage is still a work in progress, to put it mildly. And further complications are sure to arise sooner rather than later as biometrics make their way not only to more border crossings and airport security lines, but into relatively mainstream areas of payments and commerce.
That said, the time to figure out a game plan — to map out scenarios that will be influenced by the legal battles over these issues — is now, indicated the analysis from Morrison Foerster. “Potential exposure to liability under BIPA and other biometric privacy laws is real, and companies and other organizations that collect biometric data need to ensure that they comply with applicable law,” it said.