2020 Biometric Data Update

Written by: Brett Lawrence, Esq.

The utility of biometric data is more prevalent than it has ever been, primarily because developing technology has created a broad swath of convenient uses for it. It can help law enforcement authorities quickly target wanted individuals and also secure a business’ access to proprietary information. The best and most relatable example being the Apple iPhone’s fingerprint and facial recognition software.

However, with such valuable information comes heightened privacy concerns. Unlike the typical information businesses collect from its consumers and employees—name, email address, phone number, etc.—biometric data broadly encompasses an individual’s immutable characteristics and even behavioral patterns. Aside from data breaches, which are invariably a cause of concern for data protection, the prevailing news topic lately has been the legality and ethicality of the collection and use of biometric data.

European Union

Last month, news emerged that Hamburg, Germany’s privacy commissioner was requesting information from the New York‑based facial recognition start-up company, Clearview AI, regarding its collection and processing of individual biometric data in the city. The investigation stemmed from a complaint filed against the company in February stating that Clearview was collecting images of the city’s citizens without their consent. The applicable privacy law is the European Union’s General Data Privacy Regulation (“GDPR”). The GDPR defines “biometric data” as the “physical, physiological or behavioral characteristics of a natural person,” that can lead to the confirmation of an individual’s identity, such as a photograph. The GDPR generally forbids the collection of biometric data absent, among other things, explicit consent or a showing of a vital interest or legitimate activity in doing so.

Recall that in January of this year, the New York Times reported that Clearview was mass collecting billions of unique images with unfettered discretion of individuals from social media platforms and providing the database to more than 600 law enforcement agencies. To date, Clearview has not complied with the privacy commissioner’s request and is on record arguing that it does not fall under the GDPR’s jurisdiction. Unless it complies with the investigation, Clearview may be fined €10,000 for each of the privacy commissioner’s seventeen questions that are unanswered.

United States

In a more benign example, Little Caesars Enterprises Inc. is currently facing a federal class action lawsuit for violating Illinois’ biometric data law, the Illinois Biometric Information Privacy Act (“BIPA”). Similar to the GDPR, BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA allows the collection of biometric data if (1) the collector gives written notice to the recipient of the purpose for collecting the information and the length of time it will be stored, and (2) the recipient provides written consent.

The lawsuit is brought by employees who claim the long‑time pizza franchise failed to provide the statutorily‑required notice and receive written consent before collecting their fingerprint data. The data was collected from the company’s biometric time clock system that requires each employee to scan their fingerprint. The lawsuit is still pending, and we will provide updates as the case further materializes.


As seen briefly in these two instances, biometric data can be incredibly convenient for multiple industries. But with the sensitive nature of the information that biometric data entails, governments and individuals alike are going to continue to enforce strict protocol on the collection and use of such data.