Update on Global Biometric Laws

Introduction

Biometric laws continue to be a hot topic for both legislators and businesses. An increase in new laws, biometric privacy class action lawsuits, and arbitration along with an uptick in proposed legislation, prolific use by law enforcement, and widespread criticism of both facial and voice recognition technologies prove that biometrics will remain a hot topic for some time.

What Is Biometric Data?

Biometrics are measurements related to a person’s unique physical characteristics, including but not limited to fingerprints, palmprints, voiceprints, facial, retinal, or iris measurements, and more. A person’s biometric data – their specific measurements – can be used as unique identifiers.

United States

The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008, making Illinois the first state in the U.S. to enact a biometric data privacy law. The law requires entities that use and store biometric identifiers to comply with certain requirements and provides a private right of action for recovering statutory damages when they do not.

BIPA Litigation & Legislative Changes

BIPA has remained in the headlines due to the steady rise in litigation as the case law shaped it easy for claims to be brought and pass standing muster.¹ Upwards of 2,000 lawsuits have been filed under the law since roughly 2018.

A decade after its enactment, several recent cases have put BIPA in the headlines and made it easier to file BIPA suits. In 2020, the Facebook BIPA class action lawsuit Patel v. Facebook, Inc. reached one of the largest consumer privacy settlements in U.S. history, to resolve claims it collected user biometric data without consent–$650 million. In October 2022, a federal court in the Northern District of Illinois awarded a plaintiff class $228 million in damages in a BIPA suit against BNSF Railway.

The case that brought the law to the forefront of attention was Cothron v. White Castle System, Inc. just last year in February 2023, where the Illinois Supreme Court held that a separate claim accrues under BIPA each time a private entity scans or transmits a person’s biometric identifier or information in violation of the law. The ruling found fast food chain White Castle violated BIPA each time its employees used their fingerprints in the course of performing their jobs, as the company never obtained permission under the law. White Castle estimated it would be on the hook for up to $17 billion in penalties, as the law provides for $1,000 in damages for each “negligent” violation or $5,000 for each “reckless” or “intentional” violation.

Although White Castle settled the case for 9.4 million in March 2024, in April 2024, the Illinois Senate advanced changes to BIPA. The legislation aims to change BIPA’s violation accrual so that each initial collection of a fingerprint or other biometric data would amount to one violation, rather than a violation occurring for each individual scan. Employees might scan their fingerprints dozens of times per shift if they’re unlocking doors or cabinets with those scans. A business is in violation of BIPA if it doesn’t have a storage policy in place, doesn’t properly protect the data, or if it does not get consent from customers or employees for the data being collected.

The legislation aims to allow businesses to obtain consent via an electronic signature, which the bill defines as an “electronic sound, symbol, or process.” Business groups remain split to the legislation because the bill Is not written to apply retroactively and doesn’t specifically shield data centers from liability for storing biometric information on behalf of companies who may have violated BIPA.

Patchwork Framework

Aside from BIPA, the collection and use of biometric information is governed by a patchwork of legal frameworks. For example, comprehensive state privacy laws in California, Colorado, Virginia, Connecticut, and Utah regulate biometric information as a form of “sensitive” information. Texas and Washington also have broad biometric privacy laws on the books, but neither creates a private right of action like BIPA does. New York City and Portland, Oregon, have also passed tailored biometric privacy measures. New York City’s law, which is applicable to certain commercial establishments, provides a private right of action.

Colorado

Colorado has been very busy in the biometric space. In 2022, it elected to restrict the use of specific types of biometric data in narrower use cases by restricting the use of facial recognition technology by state and local government agencies. On May 31, 2024, Colorado amended the Colorado Privacy Act regarding the use of biometric information (the “Biometric Amendment”).

The Biometric Amendment, effective July 1, 2025, requires employers to obtain consent before collecting and using biometric information, and to adopt biometric policies. The Biometric Amendment’s requirements are analogous to those of BIPA; however, the Biometric Amendment poses much less risk as it does not provide a private right of action for violations. Instead, the Biometric Amendment, like the Colorado Privacy Act, can only be enforced by the Colorado attorney general and district attorneys.

Vietnam

Vietnam’s new digital ID law, Law on Identity, mandating biometrics use goes live July 1, 2024. Vietnam lawmakers made an intentional shift from the previous 2014 Law on Citizen Identification to enhance the efficiency of administrative procedures, facilitate the provision of online public services, drive socio-economic development, and establish a digital citizen identification system. From July 1, iris biometric details will be collected with fingerprints and facial images when citizens apply for an ID card.

The Identity Law introduces several key changes, including the mandatory collection of biometric information for citizens applying for ID cards. A clause in the law mandates that assigned state agencies will collect identification data, including facial images, fingerprints, and irises from applicants. The move is designed to bolster the security and accuracy of identity verification processes. The government envisions that the new Identity Law will not only simplify administrative processes but also pave the way for more robust digital public services. This legislation aligns with Vietnam’s broader goals of accelerating digital transformation and fostering a secure, efficient digital economy.

Germany

German lawmakers are calling for a ban on biometric surveillance and accusing German law enforcement of handing over sensitive biometric data for commercial purposes as criticism piles over the secretive use of a real-time facial recognition system by German law enforcement.

The German Federal Parliament is currently discussing a draft law aiming to amend the Federal Data Protection Act (BDSG), presenting a window of opportunity to regulate biometric surveillance in public spaces. The calls for a ban stem from a parliamentary inquiry uncovered earlier this year which showed that the police in the German eastern State of Saxony were using live facial recognition to track suspects called the Personal Identification System (PerIS). In June, Saxony’s data protection office said that the use of the system could be unconstitutional with the agency now considering an investigation into the Saxon Ministry of the Interior. Groups asserted that the same technology used by the Saxon police has also been secretly used in other areas, including North Rhine-Westphalia, Brandenburg, Baden-Württemberg, Berlin, and Lower Saxony.

Footnotes

1. In Rosenbach v. Six Flags Entertainment Corp. the Illinois Supreme Court held that a plaintiff can be considered an “aggrieved person” under the statute and “be entitled to liquidated damages and injunctive relief” without alleging an actual injury. Then, in May 2020, the U.S. Court of Appeals for the Seventh Circuit in Bryant v. Compass Group USA, Inc. clarified that such a person has suffered an injury-in-fact sufficient to support standing.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.