Compliance with the Illinois Biometric Information Privacy Act—which imposes strict consent requirements on entities that collect, use, and store biometric information—is straightforward, but the cost of running afoul of its requirements can be potentially catastrophic.
Biometrics can offer a more secure and user-friendly alternative to traditional passwords, so it is no surprise they have been incorporated into new and existing technologies that touch nearly all facets of everyday life. The collection of biometric information, such as through face, iris, and fingerprint scans, can happen in many contexts that are applicable to the higher education sector, including screening for COVID-19, tracking employees' working time, and limiting access to restricted areas and buildings. Most recently, higher education institutions have employed remote proctoring software that uses biometric technology to allow students to take exams safely and securely. As recent class action complaints against colleges and universities and proctoring companies demonstrate, however, the use of this technology is not without risk.
To date, only three states have enacted stand-alone legislation that specifically addresses the commercial collection, storage, and use of biometric information. Among those, only Illinois provides a private right of action that allows individuals to initiate civil litigation. (Other states have proposed legislation similar to the Illinois statute, and some municipalities, including New York City, have recently enacted their own biometrics-specific laws.) A number of plaintiffs have filed class action lawsuits against colleges or universities, alleging that the schools failed to abide by the Illinois law's strict requirements when collecting biometric information from students who use remote proctoring software.
The recent Illinois lawsuits expose the institutions to potentially millions of dollars in statutory damages and plaintiffs' attorneys' fees, to say nothing of the reputational risk involved. This article discusses the Illinois law and other emerging risks for institutions across the country that collect biometric data, regardless of whether they are subject to the Illinois law. Indeed, the legal landscape for the collection, use, and storage of biometric information is changing rapidly.
The Illinois Biometric Information Privacy Act (BIPA)
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, imposes strict consent requirements on entities that collect, use, and store biometric information, such as that collected through face, eye, or fingerprint scans.
BIPA regulates biometric identifiers, which it defines as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. In turn, the law defines biometric information as any information based on an identifier that can be used to confirm an individual's identity.
BIPA generally imposes five separate requirements on entities that collect, use, and store biometric information.
- Consent to collect, use, and store: The majority of BIPA lawsuits thus far have alleged violations of BIPA's consent requirement. This requires entities to obtain written consent from an individual prior to collecting or otherwise obtaining biometric information. The obtaining entity must explain why and for how long the biometric data is being collected, stored, or used.
- Consent to disclose and disseminate: BIPA includes a separate consent requirement for disclosing an individual's biometric data. Notably, the consent requirement can be satisfied in the employment context by obtaining a written release as a condition of employment.
- Prohibition against profiting: BIPA explicitly prohibits private entities from selling, leasing, trading, or otherwise profiting from an individual's biometric data.
- Retention policy: Importantly, entities that are subject to BIPA must also develop, publish, and abide by a retention schedule for the biometric data they collect. Biometric data must be destroyed by the time that the purpose of the initial collection has been satisfied or three years from the last interaction between the entity and the individual, whichever is earlier.
- Reasonable standard of care: Finally, entities that possess biometric data governed by BIPA must store, transmit, and protect biometric data (1) using the reasonable standard of care in the entity's industry, and (2) in a manner consistent with how the entity handles other sensitive information. This two-prong requirement underscores the need for institutions and related entities to incorporate biometrics into their data compliance programs and to stay abreast of both security threats and breach prevention and response best practices.
Compliance with BIPA is straightforward, but the cost of running afoul of its requirements can be potentially catastrophic, bringing to mind Benjamin Franklin's axiom, "an ounce of prevention is worth a pound of cure."
Recent Class Action Litigation
BIPA went relatively unnoticed until 2015 when plaintiffs' law firms discovered the law's rich statutory penalty provision: $1,000 per violation (up to $5,000 per violation if the violation is reckless or intentional), plus attorneys' fees, with no cap on damages. It is easy to see how exposure under BIPA could grow exponentially in the context of a class action lawsuit involving hundreds or thousands of class members. Indeed, in 2020 alone, putative class actions have settled for tens and hundreds of millions of dollars. With the expansion of biometric technology into virtually all aspects of modern life, it is no surprise that plaintiffs' firms have targeted virtually every susceptible industry with BIPA claims. The higher education sector is only the most recent example.
In the first few months of 2021, plaintiffs have filed multiple class actions against colleges and universities and proctoring software companies based on allegations that the defendants unlawfully collected, used, and stored students' biometric information in the course of administering exams.
Thus far, plaintiffs' firms have targeted Illinois-based higher education institutions. That said, schools outside of Illinois could face similar complaints if their students are considered Illinois residents. Further, vendors of higher education institutions (as well as vendors of other businesses) have been named in BIPA lawsuits. Third-party liability under BIPA is still developing, and whether a vendor is liable under BIPA will likely involve specific questions of fact, including whether the vendor itself collected, stored, or used the biometric information or instead provided the biometric technology used by the institution.
Other Biometrics Laws
Washington and Texas have also enacted biometrics laws, although those statutes are only enforceable by each state's attorney general. Notably, a number of other states are considering their own biometrics laws patterned after the Illinois BIPA, complete with a private right of action. Recently, New York City enacted its own biometrics law, as did Portland, Oregon.
In addition, a growing number of states have incorporated biometrics into their data-breach notification statutes, and at least one state's attorney general has instituted civil proceedings against a company that collects biometric data. At the federal level, biometrics are addressed in a small number of industry-specific statutes, the Federal Trade Commission has filed complaints against companies that collect and use biometric information, and a handful of bills have been introduced in the US Congress. In short, the legal landscape for biometrics in the United States is unsettled and developing.
The past few years have seen dramatic innovations in biometric technology, and higher education has reaped many of the benefits these innovations provide. In light of the pandemic, many entities have employed biometrics out of necessity and on a faster timetable than would allow for a full review of the attendant legal implications. Unfortunately, plaintiffs' attorneys have taken note.
Institutions that employ biometric technology should therefore self-police to remain compliant with the few existing laws and stay abreast of the rapidly changing landscape. An integral aspect of compliance is reviewing the practices of—and contracts with—third-party vendors that collect this information in conjunction with or on behalf of the institution. This is true with respect to remote proctoring software and other contexts. For example, colleges and universities may collect biometric information from their employees, faculty, or students as part of COVID-19-related health screenings, time-entry software, or secure location or building access. Any of these examples could give rise to BIPA liability as well as other current and future legal headaches regardless of the geographical location of the institution or its students.
Frank Nolan is a Partner at Eversheds Sutherland (US) LLP.
© 2021 Frank Nolan. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.