Reed Smith Client Alerts

As retailers get back to business in the United States, the laws implicating biometrics and the increase in use cases for biometric technologies have caused these businesses to refocus their data collection points. One such use case that merits special attention, specifically in the context of reopening businesses after COVID-19 precautionary closures, is the information collected via security footage (also receiving attention as a result of recent protests). This article discusses whether data collection via security footage possibly qualifies as “biometric identifiers” or “biometric information” under various state laws that implicate the topic, and whether notice and consent are necessary to collect and use that footage.

Authors: Sarah L. Bruno

An alcohol thermometer shows a temperature of 37.9 on a blurred background of a sick girl lying on a bed

Notice and consent under biometric data privacy laws

To use surveillance cameras and the related security footage, businesses must be mindful of state-specific biometric data regulations, which may require notice to and consent by the individual(s) being monitored or recorded.

One prominent example is the Illinois Biometric Information Privacy Act (BIPA), which is among the most comprehensive state biometric privacy laws. BIPA sets forth two regulated categories of biometric data: biometric identifiers and biometric information. Under BIPA, biometric identifiers include scans of hand or face geometry, retina or iris scans, fingerprints, or voiceprints. Biometric information includes any information based on a biometric identifier used to identify an individual. In the event security footage captures such biometric data, the collecting businesses may not collect, capture, purchase, receive through trade, or otherwise obtain such biometric data without first providing individuals written notice that their biometric data is being collected or stored and the purpose and duration for such use (740 Ill. Comp. Stat. 14/15(b)(1)-(2)). Further, such business must also receive a signed written release of the individual that allows for the collection of their biometric data. Id. at Section 14/15(b)(3).

Washington and Texas similarly require some form of notice and consent for biometric data collection. Under Washington’s law, a business cannot enroll an individual’s biometric identifier into a database without first providing notice (which must be reasonable under the circumstances), obtaining consent, or providing a mechanism to prevent the subsequent use of the biometric identifier (Rev. Code Wash. (ARCW) Section 19.375.020(1)). The law does not specify the type of notice and consent required in any given circumstance, but rather provides that “[t]he exact notice and type of consent required to achieve compliance … is context-dependent.” (Rev. Code Wash. (ARCW) Section 19.375.020(2)). Washington’s statute may implicate security footage in a particular way (if such footage or the characteristics of subjects derived from it qualified as biometric data) as – unlike BIPA – it allows for an exception to unauthorized disclosure of biometric data to “protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability” which could arguably speak to the purpose of security footage (Rev. Code Wash. (ARCW) Section 19.375.020(4)).