While state legislative proposals to regulate biometric privacy continue to emerge around the country, the likelihood that they could increase financial liability for big tech companies depends on whether they allow private citizens the right to sue for violations, legal experts said in interviews.
A federal appeals court ruled on Aug. 8 that a facial recognition class-action lawsuit contending that Facebook Inc. violated Illinois' biometric privacy law can move forward. The alleged violation could reportedly impact up to 7 million users.
Anyone aggrieved by a violation of the law has the ability to claim $1,000 for negligent violations and $5,000 for intentional or reckless violations. That means Facebook could face billions in damages in Illinois alone. But the law in that state is unique in that it gives private citizens the right to sue, rather than the government, in what is called a private right of action.
If new biometric privacy laws follow Illinois as a model and include a private right of action, tech companies will have a "very confusing world that they're going to try to exist in," according to Ian Fisher, chair of the biometric privacy practice at law firm Hahn Loeser & Parks LLP.
On the other hand, Fisher said biometric privacy laws without a private right of action pose less risk to companies that collect biometric data.
"If there is not [a private right of action], and it's left to government agencies to enforce, one sees the government agencies generally exercising some discretion and judgment and only going after situations where they perceive harm," said Fisher. "I think where a private right of action is created, you have a totally different group of actors bringing the actions, and they don't have an incentive to exercise the discretion that government agencies would exercise."
Three states — Washington, Texas and Illinois — have biometric privacy laws, though Illinois is the only one with a private right of action.
Other states are modeling proposals after Illinois' law, said Karla Grossenbacher, co-chair of the biometric privacy compliance and litigation practice at law firm Seyfarth Shaw LLP.
Pending biometric privacy legislation in at least two states — Massachusetts and New York — would allow for some type of a private right of action against private companies. A proposal in California would also allow citizens to bring an action for relief against law enforcement for violating biometric surveillance rules.
Meanwhile, a California privacy legislation that has already been passed into law and takes effect in 2020 will allow for a limited private right of action. That law will enable consumers to bring civil actions against a business that subjects a consumer to unauthorized access, exfiltration, theft or disclosure of their personal data by not maintaining certain security measures to protect user data.
Another challenge for tech companies is that biometric privacy laws have unresolved questions in a relatively new legal area, according to Grossenbacher.
"The bigger issue with these biometric privacy laws are nothing is defined in them," she said. "What we really need are lawsuits that tell us, 'Okay, what are the parameters of, say, consent, under the Illinois law?'"
Fisher echoed a similar sentiment, noting that the Illinois law, which was passed in 2008, presents a lot of challenging legal questions and scenarios that are difficult to answer because the law is the only one of its kind.
"It has this incredible exposure to businesses to class claims, but it's young, it has very little guidance," he said.
The solution for companies is a national biometric privacy law that preempts states, Fisher said. Despite chatter from a U.S. Senate working group of bipartisan members, no proposal has yet emerged for a comprehensive federal privacy bill.