Biometrics in 2022: Employees, the FTC, Dashcams, Time-Keeping Software, etc.
Privacy Plus+
Privacy, Technology and Perspective
Biometrics in 2022: Employees, the FTC, Dashcams, Time-Keeping Software, etc. This week, let’s look at a recent $50 million class action settlement by McDonalds benefiting its Illinois employees who were required to use their fingerprints to log into or use the restaurants’ systems. Are there lessons to be drawn here, especially in light of the Federal Trade Commission’s (“FTC”) 2021 enforcement actions on facial recognition, and the increasing attention to issues with biometric identifiers across law enforcement, civil rights, and other fronts?
The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1, et seq., prohibits private companies from collecting, capturing, obtaining, storing, transferring, and/or using the biometric identifiers and/or information of individuals for any purpose without first providing notice; obtaining informed, written consent; and publishing data retention policies. Under BIPA, a “biometric identifier” generally means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry” and “biometric information,” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Violations of BIPA carry statutory penalties of up to $5,000 per violation. (Recall that Texas and Washington State have statutes governing biometric identifiers, too, but no private right of action.)
You can read the Illinois BIPA statute by clicking the following link:
http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
In Lark v. McDonalds, the plaintiffs alleged that McDonalds Corporation, its affiliates, and franchisees operating in Illinois violated BIPA by requiring certain employees to submit their biometric identifiers and/or biometric information without first providing the requisite disclosures and obtaining the requisite consents. The Defendants denied the allegations and asserted that they complied with BIPA, but agreed to a hefty $50 Million class settlement. A link follows to the Arthur Lark BIPA Settlement Website, which contains, among other things, the Complaint that initiated the suit:
https://arthurlarkbipasettlement.com/
Recently, the FTC has also prioritized the policing of biometrics (or at least the use of facial biometrics and facial recognition technology. Early in 2021, the FTC settled its first biometric enforcement action, specifically targeting the facial recognition practices of photo developer EverAlbum, Inc. EverAlbum offered an app named “Ever” that allowed users to upload photos and videos from their mobile devices, computers, or social media accounts to be stored and organized using the company’s cloud. According to the Complaint, EverAlbum later introduced a new feature to its service that used facial recognition technology. The FTC found large gaps in EverAlbum’s disclosures and consent procedures, and major disconnects between what Everalbum had promised and what it was actually doing. (According to the FTC, EverAlbum said it would only use facial recognition if a user affirmatively activated it, but then the company activated it automatically (without the ability to turn it off) for everyone except residents of IL/WA/TX and the EU; augmented its system with photos from other sources without the users’ express consent; and kept the photos even after users had deactivated their accounts.)
For more on the EverAlbum action and its settlement, see the FTC release on the following link:
In addition to these examples, we see many other issues attendant to facial recognition and the use of other biometrics, many of which are collected in the following article:
https://www.jdsupra.com/legalnews/jump-in-facial-and-voice-recognition-7138198/
And we’ve previously written on biometrics and biometric information privacy laws, including in the following two posts on:
- The Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001): https://www.hoschmorris.com/privacy-plus-news/biometric-law-enforcement
and
- Five Steps for Keeping Biometric Laws Under Your Thumb: https://www.hoschmorris.com/privacy-plus-news/five-steps-for-keeping-biometric-laws-under-your-thumb
Our view: Steer carefully around biometrics in 2022. For commercial clients – in 2022 and beyond – we recommend comprehensively assessing the privacy and security impacts of any proposed use of biometrics before implementing (or contracting for) any service that uses them. Once such an assessment is complete, we find many companies opt to implement other solutions with less legal complexity and risk.
Companies that do opt for biometrics, however, should maintain robust procurement practices and compliance programs to mitigate the risks posted by the current patchwork of applicable statutes and ordinances (IL/WA/TX/CA/NYC/EU etc.), as well as the attention of the class action bar and the FTC. The following is a non-exhaustive list of items to consider in that regard:
Privacy by Design. Design and/or implement services that utilize biometrics only if those services have made privacy as a top priority. Does the service provider have a publicly posted privacy notice? How sophisticated is that privacy notice? Does it include retention schedules? What does the service provider’s contract say (or not say) about the accuracy and security of the biometric technology? Will the service provider have access to the biometric information? Has the service provider already been targeted by the class action bar for its biometric practices?
Privacy Notice. Companies must post a publicly available privacy notice that accurately represents their privacy practices. Personal information, including biometric information, cannot be used in a manner that is materially different than what was represented in the privacy notice at the time that that information was collected. This means companies must prepare their notices with “foreseeing change” in mind, and constantly revisit those notices every time a material new feature or practice is introduced, in order also to obtain consent from the data subjects for new uses of their personal information.
Written Notice & Consent. For biometric information, companies should provide an additional specific written notice at the time of the collection of biometric identifiers and/or biometric information, and obtain an affirmative written consent and/or signed release from data subjects before their biometrics are collected.
Retention Policies. In Illinois, companies must also issue policies regarding the retention and destruction of biometric information and make their policies available to the public.
Nondiscrimination Policy. The FTC also recommends maintaining a policy of barring the use of facial recognition for discriminatory purposes. The discrimination issues around a facial recognition technologies are particularly problematic, and these issues should particularly be well-considered by all companies, especially those that prioritize ESG.
Follow Your Policies. Often, having a policy and not following it is worse than not having a policy at all. Not disregarding an explicit policy (especially if it is consumer-facing) may be seen as misleading, deceptive, a contract breach, or even fraudulent.
Adequate Data Security. Companies must maintain reason reasonable data security measures to prevent unauthorized access to biometric data. Remember: passwords can be changed. Fingerprints cannot.
Think Beyond Facial Recognition and Voiceprints. As liability exposure increases, companies operating in the U.S. should adjust. Technologies like “smart” dashcams, vehicle and body cameras, time-keeping software, voice-recognition technologies and other technological solutions aimed not only at convenience but also at safety, productivity, expense reimbursement, and loss prevention may implicate biometric identifiers and/or biometric information.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.