Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Don’t Smile at the Camera – New Biometric Data Laws

By Gary A. Kibel of Davis+Gilbert LLP & Oriyan Gitig of Davis+Gilbert LLP on February 17, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

Biometric data is seen as a preferred means of identification by many businesses. Unlocking a smartphone using facial recognition and other biometric identifiers, for example, gives users the feeling as if they are more protected (e.g., less risk of identity theft). However, similar to the boom in privacy developments and legislation related to the collection and use of more traditional personal information, the growth of biometric data use by businesses, law enforcement, employers and other organizations has given rise to renewed privacy concerns and legal developments.

While there is no uniform federal biometric data privacy law, several states either have existing laws or are in the process of drafting or ratifying new laws. Although it remains to be seen how such legislation will change the industry’s use of and reliance upon biometric data, that it is increasingly the subject of analysis and discussion indicates a demand and a need for reasonable security and privacy practices around the collection and processing of biometric data, whether required by law or not.

Existing State Laws – Illinois

While several states, including Texas, Washington, California, New York and Arkansas have existing laws that directly govern or otherwise address biometric data in some fashion, only one, Illinois, has a comprehensive law that offers a private right of action to aggrieved individuals. The Illinois Biometric Information Privacy Act (BIPA) imposes rigorous requirements on businesses that collect or otherwise process biometric data, including, requiring consent from the consumer before the collection, and disclosure of their policies regarding use and retention, of such data.

Unique to BIPA is the individual’s private right of action, whether actually injured or not by the BIPA violation. In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that a violation of BIPA alone, regardless of damage or injury, is enough to give rise to such private right of action. If found to be in violation of BIPA, penalties (on a per-violation basis) may range from $1,000 to $5,000. As a result, BIPA has become a favorite tool of class action lawyers and an expensive issue for businesses.

New and Pending State Laws – Oregon & New York

The City of Portland, Oregon, enacted a city-wide ordinance on January 1, 2021 prohibiting (with a few exceptions, e.g., for compliance with law and user verification purposes) the use of facial-recognition technology by private entities in places of public accommodation (which are defined as, “any place or service offering to the public accommodations, advantages, facilities or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”).

Notably, in addition to standard privacy concerns, the genesis of this statute seems to have derived from a concern that all residents and visitors of the city be treated fairly and equally with respect to surveillance and the use of biometric data, as well as growing evidence that some uses of facial recognition technologies have resulted in misidentification and biased practices with respect to race and gender.

There is some uncertainty around what constitutes “facial-recognition technology,” as well as whether informed consent creates an exception to the prohibition since the ordinance does not address how an individual’s consent to the collection and use of such data would impact the prohibitions. Similar to BIPA, the Portland ordinance also provides for a private right of action, with penalties up to $1,000 per day for each day of the violation.

On January 7, the New York State Legislature proposed the Biometric Privacy Act (BPA). Whereas the Portland ordinance prohibits outright the use by private entities of facial recognition technologies, the BPA seeks instead to enhance the privacy rights of individuals and controls around the collection and processing by private entities of biometric information.

Prior to collection, the individual must be informed of the:

  • Specific biometric data to be collected,
  • Purpose and duration of the collection and use, and
  • Individual must give written consent to the foregoing.

Additionally, the BPA imposes restrictions on the use and disclosure of such biometric data by the entity that collected or otherwise received it. The BPA also provides “aggrieved” individuals with a private right of action with penalties ranging from $1,000 to $5,000 (or, if greater, actual damages).

The Bottom Line

The confluence of privacy, security, societal and other reasons have resulted in increased scrutiny over the use of biometric data through new proposed laws. In the absence of a consistent federal standard, businesses should assess their biometric data collection and use practices and technologies, implement a written policy, plan for the collection and use of such data, and ensure disclosures and consents, as appropriate, are given to and received by individuals whose data is collected.


Connect with Gary on LinkedIn and Twitter.

Connect with Oriyan on LinkedIn.

Photo of Gary A. Kibel of Davis+Gilbert LLP Gary A. Kibel of Davis+Gilbert LLP

For companies operating at the intersection of digital media, advertising, technology and consumer privacy, the legal landscape is rapidly evolving. Gary Kibel provides much-needed direction to clients involved in both emerging businesses and well-established companies engaging new technologies. While most of his clients…

For companies operating at the intersection of digital media, advertising, technology and consumer privacy, the legal landscape is rapidly evolving. Gary Kibel provides much-needed direction to clients involved in both emerging businesses and well-established companies engaging new technologies. While most of his clients are, broadly speaking, in the marketing industry, his deep knowledge of privacy and data security issues makes him a sought-after counselor to companies in the technology, e-commerce, financial services and employment sectors as well.

In the digital media space, where entire industries can rise and fall seemingly overnight, he helps his clients confidently navigate uncharted terrain. They count on him for guidance in complying with — and helping to shape — the best practices that must serve their industry in the absence of legal precedents. For more mature companies, he helps clients incorporate new concepts into existing infrastructures.

Much of Gary’s time is spent staying current in this fast-paced environment. Whether through his representation of key industry clients, his active involvement in trade associations or his recognized thought leadership, he is deeply immersed in the issues facing tech-forward companies. Clients call on him, literally every day, to provide crucial perspective on cutting-edge issues with enormous consequence to their business.

In the privacy space, where laws are rapidly evolving as well, Gary keeps his clients moving forward in a manner designed for compliance, taking care not to impede their progress. Part of his approach is to ensure that regulatory compliance, far from being a debilitating obstacle, can be turned to a strategic advantage by companies that can incorporate the right policies into their commercial platforms. For clients who may be targets of privacy complaints, he suggests timely and practical options, assuring that their disclosures and processes will be both comprehensive and well thought out.

Gary co-leads a team focused on the CCPA, GDPR, and other enacted and pending state and federal legislation, as well as self-regulatory regimes. In addition, he regularly advises clients regarding the burgeoning industry of CBD/cannabis marketing practices.

Read more about Gary A. Kibel of Davis+Gilbert LLPEmailGary's Linkedin Profile
Show more Show less
Photo of Oriyan Gitig of Davis+Gilbert LLP Oriyan Gitig of Davis+Gilbert LLP

With Oriyan Gitig’s counsel, creative agencies and technology companies understand and uphold privacy and data security obligations. She provides practical solutions clients can use to manage their responsibilities efficiently within a rapidly changing legal and regulatory landscape.

In a privacy environment that often…

With Oriyan Gitig’s counsel, creative agencies and technology companies understand and uphold privacy and data security obligations. She provides practical solutions clients can use to manage their responsibilities efficiently within a rapidly changing legal and regulatory landscape.

In a privacy environment that often lacks extensive legal and regulatory precedent, Oriyan assists clients in developing best practices based on commonsense risk analyses. She draws on significant data privacy experience and her advertising and media industry insights to guide clients in structuring business services and strategies that reflect the latest privacy and security mandates.

In addition to ensuring clients’ internal policies align with best practices and legal requirements, Oriyan assists those clients in negotiating a variety of agency-client and master service agreements and technology-based initiatives, as well as terms and policies to govern and manage their online and digital properties. Clients appreciate that her professionalism, strong interpersonal skills and commitment to achieving constructive solutions allow them to move forward without sacrificing necessary protections or business goals.

For smaller businesses, Oriyan often provides ongoing legal support as their outside “in-house” counsel. She partners with senior executive and manager-level personnel to provide advice for their privacy and data security strengths, weaknesses and capabilities within their internal companywide controls and infrastructures.

Before she joined Davis+Gilbert, Oriyan spent five years as an associate at Weil Gotshal & Manges. She actively supports firm diversity and pro bono initiatives and mentors new associates.

Read more about Oriyan Gitig of Davis+Gilbert LLPEmailOriyan's Linkedin Profile
Show more Show less
  • Posted in:
    Featured Posts, Intellectual Property
  • Blog:
    ILN IP Insider
  • Organization:
    International Lawyers Network
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo