Legal Brief: Biometrics, the Law and Your Company

Sept. 13, 2019
How a recent ruling against Facebook may impact any business collecting biometric data
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at tpastore@mmwr.com.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].

Back in was February of this year, I was in Salt Lake City to deliver the keynote address at The Monitoring Association’s annual Technology Summit. The topic that day was “Artificial Intelligence in Security Systems: Preliminary Legal and Privacy Implications.” This is a topic that I have also addressed in this column (see, for example, “Privacy in the Age of AI and Biometrics” at www.securityinfowatch.com/21044726).

Among the points that I raised to the audience that day was the practice by Facebook and other technology companies – maybe even security companies as well – of harvesting and storing the biometric data of its users, particularly facial recognition data. As I delivered my presentation, I wondered aloud – jokingly – whether Facebook had captured my facial image and determined, through artificial intelligence, to market hair restoration products directly to me because I have thinning hair.

Seriously – nearly every advertisement that I see on Facebook is for hair transplants, hair gels, scalp regenerating tools, etc. As hair is a unique biometric identifier, I have no doubt that Facebook targets me based on my appearance.

Biometrics in the Courts

Not only is Facebook targeting its ads, but it is fighting very hard to protect its right to use biometric data to do so; in fact, Facebook has been fighting for years in court over the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS/14 and Public Act 095-994). In 2015, Facebook was sued under BIPA by a putative class of Illinois Facebook users who alleged that Facebook’s photo tag feature violates BIPA.

BIPA was the first law (and perhaps the strictest) in the United States protecting biometric data. Other states, such as Texas, Alaska, California, Idaho, Massachusetts, Montana and New York, have some form of statutory biometric protection, but none rise to the level of protections afforded by BIPA.

In particular, BIPA defines biometric data as “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” It is not clear if “face geometry” extends to the hairline – which I jokingly suggest could be an ambiguity in the law.

Under BIPA, private entities are not permitted to “collect, capture, purchase, receive through trade or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless they follow certain procedures – such as obtaining prior notification and consent and developing a publicly available, written policy governing how long any biometric data will be retained.

The plaintiffs in the Facebook case took advantage of another notable aspect of BIPA – its private right of action. BIPA allows individuals to file a lawsuit for damages flowing from a violation of the statute. Damages range from $1,000 for each negligent violation to $5,000 for each intentional or reckless violation.

The Ruling and its Impact

On August 9, 2019, the U.S. Court of Appeals for the Ninth Circuit unanimously ruled against Facebook and held, among other things, that the class of Facebook users who sued for violation of BIPA have standing to sue even where they can show no individual harm.

In other words, a federal appeals court has determined that mere procedural violations of BIPA – such as the failure to obtain consent – may entitle individual users to a financial recovery as a matter of right. Given the statutory damages – particularly if the violation is deemed intentional or reckless – this is a substantial amount when aggregated in a class.

Among other things, the court found that the facial recognition feature “allows Facebook to create and use a face template and to retain this template for all time.” The court added that, “because the privacy right protected by BIPA is the right not to be subject to collection and use of such biometric data, Facebook’s alleged violation of these statutory requirements would necessarily violate the plaintiffs’ substantive privacy interests.”

Facebook may have the largest database of facial images – about 350 million images are uploaded every day; however, the holding of the appeals court is not merely a Facebook problem. Indeed, the decision also has significant ramifications for other companies, such as Google, Amazon and perhaps even your security company.

  • Does your company collect biometric data?
  • Does your company give advanced notification of such collections?
  • Does your company obtain consent for such collections?
  • Does your company have policies governing how long the data is stored?

You do not need to be Facebook or Amazon or Google to be subject to privacy laws – BIPA or others. You should not assume that BIPA is an outlier and that other states will not strengthen their privacy laws with respect to biometric data. You should not assume that plaintiffs’ lawyers will not target you and avail themselves of any statutes authoring a private right of action.

The trends are clear and the stakes are high. If you are gathering biometric data and you are not consulting capable counsel to ensure full statutory compliance with governing privacy laws, then you are at risk.

Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].

About the Author

Timothy J. Pastore, Esq.

Timothy J. Pastore Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, he was an officer and Judge Advocate General (JAG) in the U.S. Air Force and Attorney with the DOJ. [email protected]  •  (212) 551-7707

Meet Timothy J. Pastore

Timothy J. Pastore, Esq., is the newest columnist to join the Security Business magazine family. He is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. 

Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. As a JAG, in particular, Mr. Pastore was legal counsel to the Air Force Security Forces and Air Force Office of Special Investigations.

Mr. Pastore has represented some of the largest companies in the security industry, including Protection One, Comcast, Charter, Cox, Altice, Mediacom, IASG, CMS and others. He regularly provides counsel on risk management, contracting, operations, licensing, sales practices, etc. Mr. Pastore also has served as lead counsel in courts throughout the country in dozens of litigation matters involving the security industry.

Among other examples, Mr. Pastore led the successful defense at trial of cable giant Comcast in a home invasion case in Seattle, Washington. The case received significant press attention and was heralded by CVN as a top-ten defense verdict.

Mr. Pastore is a graduate of Bucknell University and Boston College Law School.

Reach him at (212) 551-7707 or by e-mail at [email protected].