Biometric-based technology is emblematic of the promise—and potential privacy pitfalls—of emerging digital tech.

Biometrics is the use of a person’s unique biological characteristics, such as their fingerprint, voice, and facial pattern, to identify and authenticate them. Around 75% of U.S. consumers have used some type of biometric technology. In fact, the use of biometrics for digital identity has been hailed as the most significant development currently shaping the technology industry.

Biometrics add levels of convenience and security to consumers’ digital experience. In 2022, approximately 46 percent of respondents in North America and Europe stated that their company had already implemented biometric authentication training tools due to their increased security and improved user-experience. However, along with convenience, biometrics pose data privacy concerns.

Companies store biometric identifiers as data, and this data, like other types of personal information, can be accessible to cybercriminals in a data breach. Compromised biometric data is potentially more damaging than other types of data that may be stolen or compromised.

You can cancel an old credit card and get a new one. You can’t change your fingerprints. Once that information is compromised, it will never be completely secure again.

Identity theft is a major concern with biometric data. A cybercriminal who obtains your fingerprints, retina, facial, or voice data could use it to, say, access the building where you live or board an airplane. Since the number of applications for biometric data will likely increase, there’s no telling how, exactly, this security threat will evolve. But the prospects are alarming enough to prompt questions about how biometric data is safeguarded.

Again, cybercriminals are not the only cyber security risk. Consumers are concerned, and rightly so, about companies collecting, storing, and profiting from their biometric data. These concerns are reflected in new biometric data legislation.

Milberg’s Biometrics Practice Group

Milberg’s Biometrics Practice Group attorneys are leading the way in biometric privacy litigation. Relying upon rapidly-emerging biometric data legislation, our attorneys have lodged class action lawsuits against major corporations—Walmart, Bose, CVS, Facebook, Snapchat—that have wrongfully handled the biometric data of its consumers and employees alike.

Numerous states across the country have enacted or are in the process of enacting biometric privacy laws and regulations, many of which require businesses, “to track, inform employees or consumers of, and provide methods for employees or consumers to consent to, the collection of biometric information or biometric identifiers.” In states that have existing biometric privacy laws, consumers may be able to sue organizations that fail to handle their biometric data in the ways specified under the laws. Milberg is uniquely positioned and experienced in representing these very consumers.

The Illinois Biometric Information Privacy Act

In 2008, Illinois became the first state to enact a biometric privacy law. Today, the state has one of the strictest biometric privacy laws in the country. Its Biometric Information Privacy Act (BIPA) mandates, among other measures, that a company may not obtain and/or possess a person’s biometric data unless it:

  • Informs that person in writing that it is collecting their biometric identifier or biometric information
  • Informs that person in writing of the specific purpose and period for which biometric data is being collected, stored, and used
  • Receives a written release from the data subject to collect his or her biometric data
  • Makes public written retention schedules and guidelines for permanently destroying the biometric data

Notable Cases & Recent Recoveries

  • $68.5 Million Settlement Parris, et al., v. Meta Platforms, Inc. – Served as lead counsel in privacy class action under the Illinois Biometric Information Privacy Act
  • $35 Million Settlement Boone v. Snap, Inc. – Served as lead counsel in privacy class action under the Illinois Biometric Information Privacy Act
  • Class action lawsuit against Walmart that alleges its use of “cameras and advanced video surveillance systems” violate the Illinois Biometric Information Privacy Act
  • Class action lawsuit against Bose that alleges the company disregarded the biometric privacy rights of Illinois residents when it collected and stored their facial geometry as part of a “virtual try-on” program
  • Class action lawsuit against CVS that alleges the company collected facial image data from customers obtaining ID photos
  • Class action lawsuit against Facebook on behalf of Instagram users who claim the parent company is collecting users’ protected biometric data in violation of the Illinois BIPA