Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (BIPA) stands out among state biometrics statutes nationwide in that it includes a private right of action for anyone “aggrieved” by a private entity’s failure to comply with BIPA’s compliance requirements. The Illinois Supreme Court recently ruled that a plaintiff may assert that they are

The Fourth Amendment right of the people “to be secure in their persons, houses, papers, and effects” has been center stage in debates over technology that scarcely could have been imagined at the time it was written. See, e.g., Carpenter v. United States, 138 S. Ct. 2206 (2018); United States v. Jones, 565 U.S. 400 (2012). With less fanfare, however, the Fifth Amendment has emerged as another critical consideration in recent cases focused on the protection of information accessible only through biometric scans (such as fingerprint or facial recognition). In the latest example of this trend, the U.S. District Court for the Northern District of California found that the Fifth Amendment right against self-incrimination prohibited the compelled use of biometric smartphone unlocking features, such as fingerprint, thumbprint, facial, or iris recognition, in In the Matter of the Search of a Residence in Oakland, California, No. 4-19-70053, 2019 WL 176937 (N.D. Cal. Jan. 10, 2019). Cases like this one read the right even more broadly than those dealing with the compelled production of passwords. Practitioners should monitor this ongoing judicial dialogue about how the Fifth Amendment should apply to issues newly arising in the information age.

The Northern District of California’s Fifth Amendment analysis in Oakland

In Oakland, the Government applied for a warrant authorizing investigators to compel any individual present at a residence connected to two extortion suspects to utilize biometric features to unlock digital devices found at the residence. Relying on recent U.S. Supreme Court decisions directly addressing the Fourth Amendment, including Carpenter, U.S. Magistrate Judge Kandis A. Westmore ruled that law enforcement could not force suspects to use biometric features to unlock digital devices because using such a feature would be testimonial for purposes of the Fifth Amendment’s protection against self-incrimination. In addition, Judge Westmore ruled that the “foregone conclusion” exception did not apply. She thus denied the warrant application.

In her analysis of whether using biometric features would be testimonial, Judge Westmore was mindful of the fact that “technology is outpacing the law” in some areas. She noted the U.S. Supreme Court’s direction in Carpenter to take technological advances into account when addressing constitutional issues and noted that courts “have an obligation to safeguard constitutional rights and cannot permit those rights to be diminished merely due to the advancement of technology.” 
Continue Reading Recent rulings indicate Fifth Amendment may join Fourth Amendment as critical consideration in courts’ efforts to apply constitutional protections to smartphones and other new technology

At the end of February, the Government of the Republic of Kazakhstan enacted Decree No. 117, providing that the types of personal data to be stored in the state’s electronic database are:

  • Full names and addresses of data subjects
  • Birth dates and birth places
  • Nationality and citizenship
  • Gender and family status
  • Individual identification numbers and

The amount of data collected worldwide is rapidly proliferating, and one international organization wants to make sure it’s clear how to protect what is arguably the most sensitive category of that data: biometrics.

The Biometrics Institute, which has branches in London and Sydney, released new revisions to its Biometrics Privacy Guidelines to its members on February 2, providing recommendations on smart and respectful collection of data, including retina and iris scans, fingerprints, voice prints, and face geometry.  With principles targeting informed consent, purpose, proportionality, and respect for client privacy, the Guidelines offer best practices to organizations looking to safeguard customer information while staying on the right side of regulators.  Few laws have been enacted in the United States specifically addressing biometric data, with Texas and Illinois being the outliers; but with increasing numbers of data breaches and consumer privacy actions regularly being brought under generic unfair and deceptive practices laws, principles such as these can help businesses be prepared in advance.
Continue Reading New Guidelines on Collecting Biometric Data Help Businesses Stay Ahead of the Game

An Illinois federal district court recently denied a request by online image publisher Shutterfly, Inc. and its subsidiary, ThisLife Inc., to dismiss a putative class action lawsuit alleging that the companies’ facial recognition-based system of photo-tagging violates the Illinois Biometric Information Privacy Act (BIPA). That law, which dates to 2008, prohibits companies from collecting and storing people’s “biometric identifiers,” including scans of face geometry, without their consent. The measure also obligates companies that gather biometric data to notify people about the practice, and to publish a schedule for destroying the information.
Continue Reading Illinois Federal Court Allows Biometric Data Privacy Suit to Proceed

The Hong Kong Commissioner has published guidance (‘Guidance’) to assist data users in complying with Hong Kong’s privacy laws when processing biometric data, and takes a broader approach than previous guidance dealing with when and how biometric data may be handled by an organisation.

Although no distinction is drawn between personal data and sensitive personal data in Hong Kong’s data protection legislation, biometric data appears worthy of greater protection because of its sensitive nature. As a result, the Guidance outlines stricter standards expected of organisations when they handle both physiological and behavioural biometric data.

Continue Reading Hong Kong Commissioner upgrades rules for processing biometric data