In recent years, the plaintiffs’ class action bar has focused its efforts on pursuing claims under legislative schemes that provide for statutory damages. The litigation explosion under the Telephone Consumer Protection Act (TCPA) is a textbook example of how enterprising lawyers exploit laws that provide for such uncapped damages in an attempt to extract large settlements for technical violations that, in many cases, have caused no cognizable harm. As plaintiffs begin to explore new claims under these legislative schemes, we seek to help our clients minimize their risk through heightened awareness of the technical requirements of new and existing laws, vigilant compliance programs, and aggressive defense against litigation. Biometrics is one such area.

Last year, we warned of a new wave of potentially high-exposure litigation under Illinois’ Biometric Information Privacy Act, 740 ULCS 14/1, et seq. (BIPA). That wave has included putative class actions against corporate defendants ranging from some of the largest social media and technology companies to a video game manufacturer and even a daycare center. Notably, since January 1, 2017, the Connecticut, New Hampshire, Washington, and Alaska legislatures have also proposed bills that would regulate the collection, retention, and use of biometric data.1 If passed, these bills could have significant implications for businesses that capture, obtain, store, or use biometric information.

Many of these new legislative proposals borrow from Illinois’ BIPA. As one of the first state statutes of its kind, BIPA imposes strict notice and consent requirements on organizations before they may “collect, capture, purchase, receive through trade, or otherwise obtain” biometric identifiers or biometric information (collectively “biometric data”). Specifically, an individual must be given written notice of, and provide written consent to, the initial collection and storage of his or her biometric data as well as the purpose and length of time that data will be stored and used.

Any business that collects or obtains such biometric data must (1) develop a written data retention policy available to the public that meets statutory requirements, (2) restrict the transfer or disclosure of biometric data to very limited circumstances, and (3) protect and store that data to, at least, the same degree it protects other confidential or sensitive information. In addition, BIPA creates a private right of action for an “aggrieved person” and provides for statutory damages of $1,000 dollars for each negligent violation and $5,000 for each intentional or reckless violation. As set forth below, the more recent proposed bills in Connecticut, New Hampshire, Washington, and Alaska contain similar provisions which would likewise create exposure for businesses that collect and use biometric data.

Connecticut
Earlier this year, Connecticut General Assembly Representative Tami Zawistowski introduced a bill that would “prohibit retailers from using facial recognition software for marketing purposes.” H.B. 5522, 2017 Gen. Assemb., Reg. Sess. (Conn. 2017). That new proposed house bill comes on the heels of a 2016 bill she co-sponsored that passed the Connecticut house chamber but failed to pass the Connecticut State Senate to become law. The 2016 bill would have required certain retailers to display a sign if they use facial recognition technology to capture any biometric identifier of persons entering their retail locations. H.B. 5326, 2016 Gen. Assemb., Reg. Sess. (Conn. 2016). It broadly defined biometric identifier as “a record of facial geometry, including, but not limited to, an image of an individual’s face captured and stored utilizing facial recognition software.”

And, its signage requirement, if passed, would have applied to “each retail business establishment having a fixed permanent location where goods are offered for sale on a continuing basis.” Both the proposed 2016 and 2017 bills follow passage of Connecticut’s 2015 Public Act No. 15-142, An Act Improving Data Security and Agency Effectiveness, which bolstered protections under Connecticut’s data breach law and expanded the definition of protected personal information to include biometric data such as fingerprints, retina scans, and voice prints.

Read the complete article in the link below.