The rapid embrace of biometrics creates significant concerns relating to protecting the privacy of individuals. Biometric technologies are in use in many industries — automotive, travel, security, health care, insurance, banking and other financial services — and across multiple industries in the field of workforce management. Uniformity of regulation is lacking in most states, however.
Illinois passed the Biometric Information Privacy Act (BIPA) in 2008. It sets requirements for private entities relating to retention, collection, disclosure and destruction of biometric information. BIPA grants a right of action to individuals harmed by a violation of the law. Multiple class actions have been filed, and companies have taken care to avoid potential liability. Google denied access to its Google Art & Culture mobile application to Illinois residents, and the smart home technology company Nest disables the facial recognition capability in its smart doorbell.
In 2009, Texas codified its law requiring notice of collection and consent by individuals before biometric identifiers can be captured and used for commercial purposes. Contrary to BIPA, no written consent is required for the collection of biometric data. Only the attorney general may bring action. The penalty for each violation is capped at $25,000. Washington passed its biometric privacy statute in 2017. The definition of biometric identifiers is broader than those used in the Illinois and Texas statutes. It carves out an exception to providing notice and obtaining consent for security purposes, including preventing shoplifting, fraud, misappropriation or theft.