Until recently, biometric privacy was a niche area of the law that had little application to most companies. But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention. Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of harm, which happened quicker than we anticipated in the context of gathering biometric data.
On January 25, 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186, unanimously finding that plaintiffs could bring a private cause of action for violations of the notice and consent requirements of the state’s biometric privacy law without any showing of harm. In Six Flags, a mother sued the owner of a theme park on behalf of her teenaged son after he was fingerprinted in connection with the purchase of a season pass to the park. Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. Further, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data. The court found that individuals possess a right to privacy in and control over their biometric identifiers.
It is probably not a coincidence that courts and legislatures are struggling with biometric harm and consent issues at the same time that companies are experimenting with a whole new level of biometrics – microchipping employees, or “chipping.” Several companies, including one in the United States, have begun inserting a microchip implant the size of a grain of rice into the hand of a voluntary test group of employees. Once inserted, the chip uses technology similar to a card reader and enables employees to open doors, access company accounts, and order from company vending services.
Chipping is, not surprisingly, quite controversial. First, there is the “ick” factor, with the obvious unease of people having the same kind of chips implanted that are used to track animals. There is also the concern about infection and health risks from an implant, and questions about how the implant would be removed when the employee leaves, is terminated, or no longer consents to the device. But supporters argue that these are ill-informed concerns, easily addressed with information about the safety of the devices, and how they will and will not be used. They contend that chipping is really no different than having employees carry around electronic access cards that are used for entry into buildings and purchases at the company cafeteria, but with significant advantages of convenience and security because employees can’t forget their chip, lose it, or have it stolen.
Supporters of chipping also point out that it is only for employees who volunteer, and that several states have passed legislation prohibiting mandatory implantation. But critics argue that what may seem “voluntary” may not be entirely so. If employees who agree to be chipped have a growing number of advantages over other employees (such as instant security authorizations that other employees may have to wait hours or days to secure) the growing disadvantages of not being chipped may become significant. Skeptics have also raised concerns regarding the security and use of the data stored in these chips. Presumably these chips also include tracking capabilities that allow employees to know when employees arrive at work, when they are at their desk, when they leave, and when they visit their therapist. Over time, this data could become quite valuable for a number of purposes, and the company may be interested in using or selling that data for reasons that have nothing to do with convenience for the employees. But supporters argue that this can all be managed through transparency, disclosure, and consent, and is really no different than the current capabilities that most companies have to monitor employees’ movements through their mobile phones and access cards. To get over the health and “ick” factor, some companies are considering putting the chips into waterproof bracelets that employees can wear, instead of implants.
These are just a few of the thorny privacy issues that many companies are going to struggle with in the coming years as they try to navigate the delicate balance between convenience, privacy, transparency and ickiness. We will continue to monitor significant biometric privacy developments here at the Cyber Blog and on our Cyber Portal for Davis Polk clients. https://www.dpwcyberblog.com.
The author gratefully acknowledges the assistance of law clerks David Popkin and Michael Washington in preparing this entry.
This article has also been posted at the Compliance & Enforcement blog sponsored by NYU Law’s Program on Corporate Compliance and Enforcement.