As technology continues to open doors for industry, adopters need to be mindful of pitfalls and opportunities. Here we discuss allegations against organizations implementing technology related to the processing of biometric data and information gathering on websites that may put them at risk and best practices for compliance.
Laws on Managing Biometrics
States have begun enacting laws to specifically address the collection and safekeeping of biometric data, with more expected to follow suit in the future. By far the most prominent of these laws is the Illinois Biometric Information Privacy Act (BIPA)—the subject of hundreds of class action lawsuits in the last few years, yielding numerous multimillion-dollar settlements.
Texas and Washington have also enacted statutes governing their residents’ biometric data. Although neither statute provides a private right of action—instead leaving enforcement to the state attorney general—both states’ laws do impose certain notice and consent requirements, along with biometric data retention limits. There is not yet a single, overarching federal law governing biometrics, despite some industry-specific laws incorporating limited biometrics protections.
Compliance
Compliance under BIPA Section 15(a) requires companies possessing biometric data to publish a publicly available policy. While there is no temporal element to Section 15(a), the Illinois Appellate Court held that such policy needs to be in place immediately when a company comes into possession of biometric data, so having a policy in place before this collection is critical. The question of possession is still a heavily litigated issue, and as the case law is still uncertain, it is best to publish a policy if any question exists.
Section 15(b) is the most heavily litigated section of BIPA, but to date there is very little case law on the substance of notice and consent documents. Under Section 15(b), a biometrics company is required to inform those from whom it is collecting biometrics data of such collection, its purpose, and the length of the term it is being collected, stored, and used. Written consent must be obtained from those whose data is collected. Going forward, we anticipate seeing more case law addressing what constitutes consent to collection.
As more states introduce privacy legislation, a wave of class actions and arbitrations have arisen alleging wiretapping against website operators and third-party analytics companies through decades-old wiretapping statutes.
Nearly every state has a wiretapping statute. Though they vary from state to state, most statutes impose liability on those who intercept the contents of a communication without consent, with the majority imposing criminal liability and allowing for private civil causes of action. Cases are often brought under wiretapping acts in states with all-party consent laws such as California, Pennsylvania, and Florida.
Litigation Trends
Several recent cases have alleged illegal wiretapping using three technologies commonly used on commercial websites: session replay technology, chatbots, and tracking pixels.
A handful of plaintiffs’ firms are leading the charge in the class action space, with one sending several hundreds of demand letters to ecommerce sites operating in California and filing dozens of lawsuits.
Outcomes of wiretapping litigation vary across jurisdictions. In California, decisions have granted motions to dismiss and held that vendors providing data analysis tools are not “eavesdroppers” under California’s wiretapping statute. In Pennsylvania, recent decisions have denied motions to dismiss and permitted discovery on elements of wiretapping claims. In Florida, there is a trend toward granting motions to dismiss session replay claims and denying motions to dismiss chatbot claims.
There has also been a surge in allegations that hospitals and health insurers are improperly sharing health information gathered through website analytics tools, including information submitted through patient portals.
Risk Mitigation Tips