Notice and consent under biometric data privacy laws
To use surveillance cameras and the related security footage, businesses must be mindful of state-specific biometric data regulations, which may require notice to and consent by the individual(s) being monitored or recorded.
One prominent example is the Illinois Biometric Information Privacy Act (BIPA), which is among the most comprehensive state biometric privacy laws. BIPA sets forth two regulated categories of biometric data: biometric identifiers and biometric information. Under BIPA, biometric identifiers include scans of hand or face geometry, retina or iris scans, fingerprints, or voiceprints. Biometric information includes any information based on a biometric identifier used to identify an individual. In the event security footage captures such biometric data, the collecting businesses may not collect, capture, purchase, receive through trade, or otherwise obtain such biometric data without first providing individuals written notice that their biometric data is being collected or stored and the purpose and duration for such use (740 Ill. Comp. Stat. 14/15(b)(1)-(2)). Further, such business must also receive a signed written release of the individual that allows for the collection of their biometric data. Id. at Section 14/15(b)(3).Washington and Texas similarly require some form of notice and consent for biometric data collection. Under Washington’s law, a business cannot enroll an individual’s biometric identifier into a database without first providing notice (which must be reasonable under the circumstances), obtaining consent, or providing a mechanism to prevent the subsequent use of the biometric identifier (Rev. Code Wash. (ARCW) Section 19.375.020(1)). The law does not specify the type of notice and consent required in any given circumstance, but rather provides that “[t]he exact notice and type of consent required to achieve compliance … is context-dependent.” (Rev. Code Wash. (ARCW) Section 19.375.020(2)). Washington’s statute may implicate security footage in a particular way (if such footage or the characteristics of subjects derived from it qualified as biometric data) as – unlike BIPA – it allows for an exception to unauthorized disclosure of biometric data to “protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability” which could arguably speak to the purpose of security footage (Rev. Code Wash. (ARCW) Section 19.375.020(4)).