Unforgettable: Why Biometrics Policies Matter

March 26, 2019

By: Brian Humke

Knowing your customer’s face can land you in court.

So can fingerprints, palm prints, retinal and iris scans, and voiceprints. Facial identification and other personal scans are all biometric data. Collect it, handle it, or fail to protect it, and you may be subjected to litigation.

Private entities use biometric identifiers to determine access, verify the identity and activity of customers or employees, and track certain activities. Laws surrounding the use of biometric identifiers continue to evolve and many states do have restrictions. Protecting that data and complying with pertinent laws reduces the likelihood of litigation. To reduce potential legal issues, businesses need to:


  • Inform and obtain consent for use of biometrics.
  • Review insurance policies to determine coverage for alleged violations.
  • Develop written biometrics use policies.


In drafting effective written policies, start with these six key elements:

  1. Explain the purpose of the collection of biometric data.
  2. Identify the types of devices and their uses.
  3. Show how the data is stored and safeguarded.
  4. State the length of data storage and how it will be destroyed.
  5. Include biometric data in a data breach policy.
  6. Set requirements about how data will be used and kept by third-party vendors.


Biometric technology is relatively new. No current federal laws specifically address its use and application.  However, recent legislation has been introduced in Congress relating to facial recognition.  


All states have enacted data breach notification laws requiring businesses to notify consumers if their personal information has been compromised.


Iowa laws currently address data breach notification and the protection of student information. But, statutes in other states affect Iowa businesses—either because the entities do business in those states or because of legal precedents being set.  


On January 25, 2019, the Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that the Illinois Biometric Information Privacy Act (BIPA) allows an individual to seek damages and injunctive relief without the need to allege actual injury or adverse effect beyond violation of his or her rights under the act. In other words, you can be sued for a technical statutory violation even when there is no actual harm.


BIPA, enacted in 2008, was the first comprehensive biometric privacy legislation. The act:

  • Requires written notice and authorization from individuals before collection of biometric identifiers.
  • Requires inclusion of the purpose of the collection and duration of use or retention.
  • Requires protection of collected biometric data in the same manner as other sensitive and confidential information using a reasonable standard of care.
  • Specifies the requirements and situations when the biometric information can be disclosed.
  • Provides for a private right of action for damages and relief.


In 2018, California enacted the California Consumer Privacy Act (CCPA). This act is comparable to the GDRP and amendments are continual. The most current version of the CCPA does contain a limited private right of action. 


On the international front, the General Data Protection Regulation (GDPR) is a sweeping change in data and privacy regulation. The European Union regulation applies to the processing of “personal data,” data that can be used to identify individuals. In addition to companies in EU member states, the law applies to companies offering goods or services or monitoring behavior in the EU. The GDPR’s broad concepts will take time to clarify businesses’ obligation.


A facial identification scan is more than data. Handled incorrectly, it’s potential for litigation. If you have questions, contact your Nyemaster Goode attorney.