BIPA Suit a Step Forward for Biometric PrivacyDecember 14, 2016 | Articles
Bloomberg Big Law Business reports on a recent settlement reached under Illinois' Biometric Information Privacy Act (BIPA), one of the few statutes nationwide aiming to protect consumers from the risks associated with biometric data collection.
The class action suit was brought in Chicago against LA Tan Enterprises Inc. for collecting customers' biometric identifiers without express consent. The company phased out key fobs for entry onto premises, instead requiring users to scan their fingerprints. While fingerprint scanning is a legitimate and legal method of identification, "the lawsuit claimed L.A. Tan failed to obtain written consent from customers to use this data, or provide information about how it would store their biometric data and when, if ever, that data might be destroyed if customers dropped their membership, the franchise closed or other circumstances arose."
Importantly, the article notes, "the suit did not accuse L.A. Tan of doing anything nefarious or losing or selling its customers’ biometric fingerprint data. Rather, the company did not treat the data as carefully as the law requires, the suit claimed." In addition to the settlement payment for the plaintiffs, L.A. Tan “will put processes in place to comply with the Illinois statute or destroy all biometric data it still holds,” ensuring the protection of current and future users’ privacy.
BIPA's provisions are the most comprehensive of their kind in the US, as the law seeks not to hinder the use of biometric technology, but rather to mitigate the risks inherent in collecting such deeply personal and unchangeable information.
"The consequences of losing biometric data are not yet totally clear," the article explains. "In 2015, hackers breached the federal government’s Office of Personnel Management and stole the fingerprints of 5.6 million government employees. Bruce Schneier, a cyber security expert and Fellow at Harvard’s Berkman Center, wrote a blog post in which he tried to imagine what this theft may mean in the future:
'5.6 million US government employees need to remember that someone, somewhere, has their fingerprints. And we really don’t know the future value of this data. If, in twenty years, we routinely use our fingerprints at ATM machines, that fingerprint database will become very profitable to criminals. If fingerprints start being used on our computers to authorize our access to files and data, that database will become very profitable to spies.'"
Carey Rodriguez Milian Gonya, LLP has brought a number of class action suits under the Biometric Information Privacy Act against Silicon Valley tech companies Facebook, Google, and Shutterfly, notably for obtaining consumers’ biometric information without consent as required by law. These companies allow users to opt out of this automatic feature, though, as CRMG partner David Milian notes, the sensitive nature of biometric data means such features must necessarily be opted into, after users have been informed about what the technology does and the associated risks.
"The data privacy concerns are enormous," he explains. "You can always change your password or get a new credit card or social security number if these websites are hacked, but you can't change your facial geometry."