One Size Does Not Fit All When Facing Biometric Consent Requirements
New Jersey Law Journal
December 1, 2021
Biometric data is integral to everyday life: it unlocks your phone with face-ID or voice recognition; it verifies your identity at work or the gym with a fingerprint or palm scan; it tags people in your social media posts; and it is increasingly being used to provide access to secure buildings, areas, or files.
As the commercial use of biometric data increases, so do concerns about the privacy, security, and control of this uniquely personal identifying information. This has prompted several states to enact or—as New Jersey has done—propose legislation that regulates the collection, use, and retention of biometric data. These legislative efforts raise myriad legal issues, including how private entities can obtain the required consent to collect, use, and store an individual’s biometric data. New Jersey’s legislative proposal (as well as other states’ existing statutes or proposals) requires formal written consent before collecting, using, or storing an individual’s biometric data. But, depending on the context, written consent may not be a realistic requirement. Assuming the benefit of using biometric technology in various applications is deemed to outweigh the potential privacy and security concerns, then it is clear that legislators should consider different forms of consent for those contexts where formal, written consent is not possible or not practical.
The Legal Landscape
Perhaps the most notable—and notorious—existing statute regulating commercial use of biometric data is Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/1, et seq., which was enacted in 2008. Under BIPA, private companies must (i) implement and publish a written biometric retention policy; (ii) inform data subjects in writing of the specific purpose for collection, as well as the actual use and storage practices; and (iii) obtain a written release from data subjects consenting to the disclosed collection, use, and storage practices. Failure to adhere to the BIPA standards is typically enforced through a private right of action, which can subject a company to statutory damages of $1,000 to $5,000 per violation, as well as attorney fees, costs, and additional relief in the discretion of the court. 740 ILCS 14/20.
In 2009, Texas adopted a less onerous statute. Tex. Bus. & Com. Code § 503.001(a) et seq. The Texas statute also requires express consent for capture of biometrics, but there is no private remedy. In 2017, Washington implemented legislation applicable to biometrics that is the least onerous of any enacted state legislation, in part because it does not require consent for any capture of biometric data. Rev. Code Wash. (ARCW) §19.375 et seq.
In New Jersey, Assembly Bill No. 3625/4211 would regulate a private entity’s collection, use, and retention of an individual’s biometric data. Section 4(a) of the proposed legislation requires a private entity in possession of biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for destroying such information. Section 4(b) provides that a private entity shall not acquire, possess, access, collect, capture, purchase, receive through trade, or otherwise obtain or use a person’s biometric identifier unless it first: (1) informs the person in writing that biometric data is being collected and stored; (2) informs the person in writing of the specific purpose and term for which the biometric data is being collected, stored, and used; and (3) receives a written release executed by the person. “Written release” is defined as “informed written consent or, in the context of employment, a release executed by an employee as a condition of employment.”
Different Circumstances Require Different Types of Consent
The terms of the proposed legislation require “informed written consent” in all contexts without exception. Requiring written consent is a laudable goal and an extremely high standard, which, while practical in the employment context, is not necessarily practical when it comes to other existing or future commercial applications of biometric technology, like enhancing the functionality and security of a website or enhancing safety and security at commercial establishments.
Collection for Employment Purposes
Use of biometric data in the workplace can promote efficient, safe, secure, and cost-effective operations by requiring facial, voice or iris scans to access certain machinery or confidential and secure areas. The proposed legislation expressly provides that, in the employment context, a release executed by an employee as a condition of employment meets the informed consent standard. Because an employee must fill out various paperwork relating to and setting forth various conditions of legal employment, including a written release to collect and store biometric data is an obvious and easy way to obtain informed written consent.
Companies are already requiring biometric consent as a condition of employment. For example, earlier this year, Amazon implemented a requirement that all its delivery drivers across the United States sign a written consent form to allow use of on-board safety camera technology, which includes the collection, use, and storage of the driver’s photograph for the purposes of confirming identity and connecting to the driver’s account. While this new policy has raised concerns for some drivers, privacy advocates, and five U.S. Senators, Amazon is apparently standing by the new policy and maintains that it has resulted in dramatic increases in overall community and driver safety.
Collection From a Website
Website operators seeking to utilize biometric recognition features for purposes of identification and security confront different (and complicating) considerations. Obtaining a formal written release based on written notice as in the employment context is likely not possible or practical. To bridge this gap, companies may consider using a full “click wrap” agreement—as opposed to a less formal procedure akin to “browsewrap” consent—and incorporating an “opt in” checkbox for individuals to click after reviewing the biometric disclosures and policies. It is not clear that such substitute process constitutes (or should constitute) sufficient written consent for the collection and use of biometric data under the proposed New Jersey legislation, but such unilateral contracts on websites and mobile apps are often upheld in other contexts by courts, including in New Jersey, when the terms are clear and not otherwise unenforceable.
Collection From the General Public
Perhaps the most challenging circumstance for obtaining consent is from the general public entering a private business that uses biometrics as part of any aspect of its operations, including to enhance the security and safety of its business and the other patrons. This is particularly true for New Jersey’s large entertainment facilities that are presumably within the scope of the proposed legislation, such as sports venues, concert halls, and casinos. It is likely that many of these private facilities already collect and use biometric data for security and safety purposes. Obviously, obtaining a written release from every individual entering the facility is impractical at best, and the New Jersey legislation does not provide any alternative means to obtain consent in these circumstances.
The New York City Council has considered the scenario and, in lieu of express written consent, requires appropriate notification at all customer entrances. Local Law 3 (2021), which became effective July 9, 2021, is applicable to Biometric Identifier Information and requires that commercial establishments—i.e., retail stores, entertainment facilities, and businesses that sell food and drink to the public—notify customers about collection of biometric data on the premises by posting “clear and conspicuous” signage near all customer entrances. The signage is required to be “in plain, simple language, in a form and manner prescribed by the commissioner of consumer and worker protection by rule,” and must provide notice “that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” At the other end of the spectrum, Portland, Oregon’s City Council enacted a ban that became fully effective on Jan. 1, 2021, totally prohibiting the use of facial recognition software by private entities, which supplements a companion ban adopted by the Portland City Council in 2020 on the use of facial recognition software by public entities and agencies. The means of obtaining consent clearly is not an issue in Portland.
There is no doubt that the commercial application and use of biometrics will continue to increase and, with it, the legislative efforts to address corresponding concerns about privacy, security, and control of biometric data. One thing is also clear—obtaining the appropriate informed consent for the collection, use, and storage of biometric data in different circumstances proves difficult, especially with a “one size fits all” approach. Ensuring legislation is adaptable to the various use cases is key to protecting the rights of both individuals and business owners.
Reprinted with permission from the December 5, 2021 issue of the New Jersey Law Journal. © 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or firstname.lastname@example.org or visit www.almreprints.com.