In this month’s column, I’d like to revisit a topic I’ve covered a few times: Biometric privacy.
Just in case you’ve forgotten, here is a bit of background info: Biometric information is data based on things such as your fingerprints, a retina scan, voiceprint, hand scan or facial scanning. Now that you know what biometric information includes, think of how often you use it. Off the top of my head, my phone recognizes both my face and fingerprint to unlock it, and I have at least a half dozen apps that use my thumbprint as my sign-in.
Now, here is something to ponder: Who owns all of this data that’s collected every time you log into an app or your cellphone or drive past a traffic camera? Even more worrisome, what can this digital data be used for?
Since the start of the 2023 legislative session, at least 15 biometric privacy law proposals have emerged across 11 states — Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont and Washington.
Broadly speaking, these bills would impose new requirements on companies’ collection, handling, protection, use and dissemination of biometric information, such as retina or iris scans, fingerprints, voiceprints and scans of hand or face geometry. Many of these bills would greatly increase the compliance risk and liability exposure of companies that handle biometric information and are therefore worth tracking closely.
Illinois was the first U.S. state to enact legislation about the matter, way back in 2008, with the adoption of the Biometric Information Privacy Act, or BIPA.
Section 15(b) of the Act provides that a private entity may not “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data without first providing notice to and receiving consent from the person. Section 15(d) provides that a private entity may not “disclose, redisclose, or otherwise disseminate” biometric data without consent.
In February 2023, Illinois-based Black Horse Carriers Inc. — which has since been acquired by trucking giant Penske — faced a class action lawsuit. A former employee initiated the suit, alleging the company violated BIPA by requiring time clock fingerprint authentication without maintaining a publicly available policy on how the company would treat employees’ biometric data.
The suit also claimed Black Horse failed to provide notice to employees that the time clock was collecting their fingerprints and didn’t explicitly get employees’ consent. The company argued that the court should have applied the one-year statute of limitations under Illinois’ Right of Publicity Act. However, the court unanimously disagreed.
In issuing a blanket five-year statute of limitations for all BIPA claims, the 5-0 majority of the court emphasized that “the full ramifications of the harms associated with biometric technology is unknown.” Without the law, the court wrote, individuals whose biometric data was improperly collected or disseminated might never even know it – at least until they felt the consequences.
Danielle Kays, an attorney with Chicago-based firm Seyfarth Shaw LLP, has experience in cases involving biometric information. According to Kays, employers like her clients were already working under the assumption that a five-year statute of limitations was likely to prevail. She notes that the February ruling provides more clarity in a law that’s still taking shape in a sea of legal challenges.
Illinois state Rep. Jeff Keicher (R-DeKalb) believes a bill he’s put forward could strike the right balance in tweaking the law. House Bill 3199 would allow companies to obtain consent electronically for collecting and using employees’ and customers’ biometric data, in addition to clarifying that consent is only needed for the first time a company collects it.
Keicher says he’s sensitive to biometric privacy concerns because of the massive data center Facebook is building in his district. He called BIPA a “bragging point” because “we don’t allow Illinois citizens to be manipulated in the fashion that some other (states) do.”
“We have technology and we need to adapt to it, but at the same time, we have to be very sensitive to the abuses that some unscrupulous large technology firms may take,” Keicher said in an interview. “And so where that center line is, I think we owe it to the people of Illinois to investigate.”
With all that being said, the integration of biometrics in the trucking industry can lead to improved security, better regulatory compliance, enhanced fleet management and increased safety for both drivers and cargo.
However, it is important to ensure the implementation of biometric systems complies with relevant privacy regulations and that proper data security measures are in place to protect sensitive biometric information.
Once your fingerprints and retinal, voice and facial scans are out there, there’s no getting them back. Would you consent?
Brad Klepper is president of Interstate Trucker Ltd., a law firm entirely dedicated to legal defense of the nation’s commercial drivers. Brad is also president of Driver’s Legal Plan, which allows member drivers access to his firm’s services at discounted rates. For more information, contact him at (800) 333-DRIVE (3748) or interstatetrucker.com and driverslegalplan.com.