Privacy rights face the rise of biometric security

Will biometric identification technology — which promises faster and easier checkout for customers, particularly in unattended environments — be thwarted by the need to protect personal privacy?

A pair of lawsuits against Compass Group USA seek damages over the way the company collects and stores biometric information from fingerprint readers on certain vending machines. The suits claim the company violated the Illinois Biometric Information Privacy Act (BIPA), which requires written consent before collecting and storing biometric information. 

The lawsuits are among several that have been filed in recent years against companies that gather biometric information from customers. The lawsuits are making companies aware of the need to gain customers' consent prior to collecting biometric information.

Biometric identification technology has emerged as a convenience in situations where customers have to provide their identification to be served, particularly in unattended environments. In addition to foodservice, the technology has expanded in the transportation, health care and financial sectors. Fingerprint recognition, one of the oldest and most economically feasible biometric technologies, remains the most commonly used such technology, according to industry observers.

Compass Group USA did not respond to a request from this website for comment on these recent lawsuits.

What the law requires

The Illinois law requires that a company collecting a customer's biometric information first inform the subject in writing that the information is being collected or stored. That written notice must also include the purpose and length of the term for which the information is collected. Additionally, the person who is providing their biometric information must provide a written release documenting that they approve of the use of the information as the company specified. 

The law also requires the company to destroy the biometric information when the purpose for collecting it has been met or within three years of their last interaction with the customer, whichever comes first. 

The law notes that biometrics puts the individual at a heightened risk of identity theft.

Customers sue Compass Group USA

Jennifer Kessler sued Compass Group USA on Jan 28, 2020 in the Circuit Court of Cook County, Illinois for violating BIPA. Kessler stated in her complaint that she was never advised of the purpose or length of time for which the defendant collected or used her biometrics, or if her biometrics would ever be permanently deleted.

Kessler, who claimed she would not have provided her data had she known the defendant would retain the information indefinitely without her consent, brought suit on behalf of all persons who scanned a fingerprint or thumbprint at a biometric vending machine owned by Compass Group in Illinois during the applicable statutory period.

Kessler seeks $5,000 for each intentional or reckless violation of BIPA, or $1,000 for each negligent violation. BIPA provides that, for each violation, the prevailing party may recover $1,000 or actual damages, whichever is greater, for negligent violations and $5,000 or actual damages, whichever is greater, for intentional or reckless violations.

A similar suit filed by Christine Bryant against Compass Group USA said the defendant collected the biometric data at one of its SmartMarket machines without obtaining written consent.

Fairness questioned

One issue being experienced with the Illinois law, according to some, is that the plaintiff does not have to prove they were harmed in order to seek damages.

The Illinois Supreme Court ruled last year against Six Flags that a plaintiff whose teenage son was fingerprinted by the park did not have to prove they suffered harm in order to sue for damages under BIPA. The court ruled that "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the act, in order to qualify as an 'aggrieved' person and be entitled to seek liquidated damages and injunctive relief pursuant to the act."

Jennifer Huddleston, a research fellow at the Mercatus Center at George Mason University, stated in an article in The Hill that unlike other states, Illinois allows individuals to bring cases for alleged violations as part of its enforcement. Huddleston went as far as to say that under the Illinois law, many of biometrics' benefits become difficult, if not impossible, to utilize. 

Jim Sullivan, senior vice president of strategy and compliance and chief legal officer at Bio-Key International Inc., a provider of biometric software solutions that he claims already comply with the Illinois law, thinks many companies are being victimized unfairly.

"Many, many, many companies innocently collected biometrics and didn't ask for consent first because they didn't know that they had to," Sullivan told this website.

"It's only in Illinois that the problem is really at its worse," he said.

Every other state that addresses biometrics leaves action to the discretion of the state attorney general as opposed to giving each citizen the right of private action, he said. He estimated 15 states have biometric laws in effect or proposed.

The long-term implications of the Illinois law are uncertain. While a number of companies have been sued, getting customer consent before collecting biometric information does not appear to pose a major obstacle to technology providers interviewed for this article. 

However, the damages under BIPA can be steep.

In late January, Facebook agreed to pay $550 million for violating the law in the way the company collected data with its facial recognition technology after the U.S. Supreme Court denied a petition to dismiss the lawsuit, according to a report in the Washington Post.

Part two of this three-part series will explore how companies using self-service kiosks are complying with the Illinois law.

Image courtesy of iStock.