Biometric data and wire-use trends and adoption – Publications

As technology continues to open doors for the industry, adopters must be mindful of pitfalls and opportunities. Here we discuss risk and compliance best practices for organizations that implement technology related to the processing and collection of biometric data on websites.

Biometrics

Rules for managing biometrics

States have begun enacting laws specifically to address the collection and storage of biometric data, and more are expected to follow suit in the future. The most prominent of these laws is the Illinois Biometric Information Privacy Act (BPA)—the subject of hundreds of class action lawsuits over the past few years, resulting in multi-million dollar settlements.

Texas and Washington have also enacted laws governing the biometric data of their residents. Although neither law provides a private right of action—leaving enforcement to the state attorney general—both states’ laws impose certain notice and consent requirements along with biometric data retention limits. Although some industry-specific laws include limited biometrics protections, there is not yet a single, overarching federal law governing biometrics.

Compliance

Compliance with BIPA Section 15(a) requires companies with biometric data to publish a publicly available policy. While there is no temporal component to Section 15(a), the Illinois Appellate Court has held that when a company collects biometric data, this policy must be implemented immediately, so having a policy in place prior to this collection is critical. The question of ownership is still a hotly contested issue, and the law is still uncertain, so it’s a good idea to print a policy if there’s any question.

Section 15(b) is the most heavily litigated section of BIPA, but to date there is very little case law on notices and consent documents. Under Section 15(b), a biometrics company is required to disclose from whom it collects biometric information, its purpose, and the length of time it is being collected, stored, and used. Written consent must be obtained from the person collecting their data. Going forward, we expect to see more case law addressing what constitutes consent to collect.

Make it wireless

As more states introduce privacy legislation, class actions and arbitrations against website operators and third-party analytics companies using decades-old wiretapping laws have proliferated.

Almost every state has wiretapping laws. Although they vary from state to state, most laws impose liability on those who violate the content of unauthorized communications, most of which impose criminal liability and allow for private civil causes of action. Cases often arise in states with all-party consent laws, such as California, Pennsylvania, and Florida, where wiretapping actions take place.

Litigation trends

Several recent cases have alleged illegal wiretapping using three technologies commonly used on commercial websites: session replay technology, chatbots, and tracking pixels.

A handful of plaintiffs’ firms are leading the charge in class, with one sending hundreds of demand letters to ecommerce sites operating in California and filing dozens of lawsuits.

The results of television arrest litigation vary from state to state. In California, decisions have allowed applications to dismiss and found that vendors offering data-detection devices are not “eavesdroppers” under California’s wiretapping statute. In Pennsylvania, recent decisions have rejected findings on the elements of phone-tapping claims. In Florida, there is a tendency to grant motions to deny session re-claims and to deny chatbot claims.

In addition, allegations that hospitals and health insurers are improperly sharing health data collected by web analytics tools, including data provided through patient logins, have abounded.

Risk reduction tips

• Check Disclosures:
  • Does the privacy policy include reference to online chats/session playback/pixels as sources of collection?
  • Does it accurately reflect the uses and disclosures of the information collected?
  • Is it linked in the buy-flow process and/or highlighted on the landing page?
  • Review the online chat functionality of a chatbot or live chat:
  • Is there a statement informing the user that the chat will be recorded and/or personal information collected?
  • Does such disclosure exist above or before the fields that collect the personal information?
  • Does this disclosure link to the privacy policy and terms—specifically if there is an arbitration clause?
• Verify supplier contracts;
  • Are there indemnification clauses that can be claimed?