In one of the largest data privacy settlements ever, a California federal district court judge last week approved a $650 million settlement to be paid by Facebook to nearly 1.6 million Facebook users in Illinois. The recipients of the payment will be those people for whom the social network allegedly created and stored face templates, in violation of the Illinois Biometric Information Privacy Act (BIPA). Facebook faces potential additional liability in another biometric privacy action filed last October in Illinois, Whalen v. Facebook, Inc. In that case, Instagram users claim that the social media app, owned by Facebook, wrongly collected and stored their biometric data by using facial recognition technology on photos uploaded to the app. That lawsuit is in its initial stages. Facebook recently filed a motion to stay the proposed action, which it says must be arbitrated.
These cases underscore the potential exposure that many companies have under state biometric privacy statutes and regulations. BIPA is among the strictest privacy laws in the U.S., requiring businesses to get permission before using technologies such as facial recognition to identify customers. It includes a private right of action, which has spawned hundreds of class action lawsuits in Illinois.
The Florida Legislature in 2019 unsuccessfully attempted to pass a Florida Biometric Information Privacy Act, which closely tracked Illinois’ BIPA. However, last month, the state's legislature introduced House Bill 969 (currently in the Regulatory Reform Subcommittee) and Senate Bill 1734, each focused on consumer data privacy. The broad protections of personally identifiable information (PII) proposed in these bills include personal safeguards against certain collections of biometric data, which the bills define broadly. Under the proposed legislation, biometric information encompasses physiological or biological characteristics like fingerprints, face and voiceprints, and retinal scans, as well as behavioral markers like gait or keystroke patterns, and sleep, health, and exercise information. The proposed legislation would establish a private right of action for violations of the act.
In addition, HB 969 would require businesses to follow (and apprise consumers of) a retention schedule that prohibits the use and retention of personal information after satisfaction of the initial purpose for collecting or obtaining such information, after the term of a contract has ended, or one year after the consumer's last interaction with the business, whichever occurs first. Notably, this provision carves out an exception for biometric information used “for ticketing purposes” if such information is only kept for the duration of the ticketed event. This carve-out presumably is an acknowledgement of the perceived increased need for facial recognition technology, especially during the current COVID-19 pandemic. For example, facial recognition technology at airports allows for contactless flight check-ins and immigration entry into the U.S. This increased use of biometric technology may also be seen across other industries.
Companies doing business in Florida should begin, if they have not already, carefully reviewing and revising, if necessary, their policies and procedures regarding the handling and protection of consumer data, including biometric information. If passed, the proposed new Florida law would become effective on January 1, 2022, giving businesses relatively little time to take the measures necessary to comply with the legislation.