Biometric Data Privacy: The $650 Million Reason Apps Are Scared of Face Scans
When Facebook agreed to pay $650 million to settle Illinois biometric privacy claims in 2021, the settlement didn't just compensate affected users—it sent shockwaves through the technology industry. The case centered on Facebook's photo-tagging feature, which used facial recognition to identify people in uploaded photos without obtaining proper consent. Under Illinois law, that failure was worth hundreds of millions of dollars.
Biometric data—fingerprints, face geometry, iris patterns, voiceprints—occupies a unique position in privacy law. Unlike passwords or credit cards, biometrics can't be changed if compromised. You can reset a password; you can't reset your face. This permanence, combined with increasingly sophisticated collection technologies, has made biometric privacy one of the most active frontiers in data protection litigation.
Illinois BIPA: The Strictest Biometric Law in America
The Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, remains the most stringent biometric privacy law in the United States. BIPA's key requirements:
Written Consent Required
Private entities cannot collect, capture, purchase, or obtain biometric identifiers without first providing written notice and obtaining a written release. This isn't a checkbox in a terms of service—it's a specific informed consent process.
Retention and Destruction Schedule
Companies must establish a publicly available retention schedule describing how long biometric data will be kept and when it will be destroyed. Biometrics can't be retained indefinitely "just in case."
No Sale or Profit
BIPA prohibits selling, leasing, trading, or otherwise profiting from biometric data. This blocks the data broker business model that commodifies other personal information.
Protection Standards
Companies must store, transmit, and protect biometric data using reasonable care standards at least as protective as those used for other confidential and sensitive information.
Private Right of Action
Critically, BIPA grants individuals the right to sue for violations—a private right of action rare in privacy law. Plaintiffs can recover:
- $1,000 for negligent violations
- $5,000 for intentional or reckless violations
- Actual damages if greater
- Attorney fees and costs
This private enforcement mechanism has generated thousands of lawsuits and massive settlements.
The BIPA Litigation Explosion
Since 2015, BIPA litigation has transformed from obscure legal theory to major industry liability:
Facebook: $650 Million (2021)
The landmark settlement resolved claims that Facebook's photo-tagging feature collected and stored biometric data from millions of Illinois users without informed consent. The settlement established BIPA's massive liability potential and triggered compliance reviews across social media.
TikTok: $92 Million (2021)
Video-sharing platform TikTok settled BIPA claims related to facial recognition filters and effects that allegedly collected biometric data without proper disclosures.
Google: $100 Million (2022)
Google settled claims that its Google Photos face-grouping feature violated BIPA by collecting biometric data from Illinois users without consent.
Snapchat: $35 Million (2022)
Snapchat's "Lenses" and "Filters" features led to BIPA claims alleging biometric collection without informed consent.
Major Employers
Companies using biometric time clocks—fingerprint or facial recognition systems for employee tracking—have faced extensive litigation. Amazon, Marriott, Hyatt, and numerous retailers have settled or faced ongoing BIPA claims.
Class Action Proliferation
BIPA class actions now target gyms, retailers, entertainment venues, and any business using biometric systems. The private right of action incentivizes plaintiff's attorneys to seek out technical violations, creating compliance pressure even for companies with good faith biometric programs.
What Counts as Biometric Data
BIPA defines biometric identifiers specifically:
- Retina or iris scans
- Fingerprints
- Voiceprints
- Scans of hand or face geometry
Biometric information—data derived from these identifiers—is also protected.
Other laws define biometrics differently. The CCPA/CPRA covers biometric data within personal information definitions. Emerging state laws may expand or contract these categories. But BIPA's specific definitions have shaped litigation and compliance.
Emerging technologies raise new questions:
Gait Recognition
Analyzing how people walk is increasingly feasible at distance. Does this constitute biometric data under existing laws?
DNA
Some biometric privacy laws explicitly exclude DNA, treating it as medical information subject to different protections. Others include genetic information within biometric definitions.
Behavioral Biometrics
Keystroke patterns, typing rhythms, and interaction patterns can identify individuals. These behavioral characteristics occupy gray areas in current legal frameworks.
Other State Biometric Laws
While BIPA dominates headlines, other states have biometric privacy laws with different structures:
Texas: Capture or Use of Biometric Identifiers (CUBI)
Texas law requires notice and consent before capturing biometric identifiers. However, unlike BIPA, CUBI doesn't grant individuals a private right of action—only the Texas Attorney General can enforce violations. This significantly reduces litigation risk.
Washington State
Washington's biometric privacy law resembles Texas—notice and consent requirements without private enforcement. The law excludes photographs and video recordings unless used for facial recognition specifically.
California: CCPA/CPRA
California's privacy laws include biometric data within personal information definitions. The CCPA/CPRA framework applies—disclosure requirements, opt-out rights, deletion rights, and limited private action for data breaches. California's approach is less specific than BIPA but applies more broadly.
New York City
NYC's biometric identifier law requires commercial establishments to notify customers if biometric data is being collected. This disclosure-focused approach addresses retail and entertainment venue collection.
Proposed Legislation
Multiple states are considering biometric privacy bills. Some mirror BIPA with private rights of action. Others adopt disclosure or consent-only frameworks. The patchwork of state laws creates complex compliance obligations for national businesses.
Common Collection Contexts
Biometric data collection occurs in contexts many people encounter regularly:
Workplace Time Clocks
Fingerprint and facial recognition time clocks eliminate buddy punching and streamline payroll. They're also the source of extensive BIPA litigation, as employers frequently fail to obtain proper consent or publish retention schedules.
Fitness and Health Apps
Apps promising to analyze your face for BMI, skin condition, or fitness metrics collect facial geometry. Many fail to obtain BIPA-compliant consent.
Social Media Filters
Augmented reality filters that map faces for effects require facial geometry analysis. The TikTok and Snapchat settlements established that these features can trigger BIPA obligations.
Photo Auto-Tagging
Services that automatically suggest tags for uploaded photos use facial recognition. Facebook's settlement established massive liability for this practice without consent.
Security Systems
Facial recognition for access control, surveillance cameras with identification capabilities, and authentication systems increasingly use biometrics in commercial and residential settings.
Healthcare Applications
Some health apps use voice analysis for diagnostic purposes, creating biometric data subject to multiple regulatory frameworks.
Consent Requirements Under BIPA
BIPA's consent requirements are specific and technical:
Written Notice
Companies must inform subjects that biometric data is being collected. Notice must include:
- That biometric data is being collected or stored
- The specific purpose and duration of collection
- That the company is collecting the data
Written Release
After notice, companies must obtain a written release authorizing the collection. This release must be knowing and voluntary—not buried in general terms of service.
Public Retention Schedule
Companies must publish a written policy establishing retention timeframes and destruction procedures. This schedule must be available to the public.
Protection Measures
Companies must describe the protective measures they employ for biometric data storage and transmission.
The Irreversibility Problem
Biometric data's unique characteristic—irreversibility—drives heightened legal protection. Consider:
Password Compromise
If your password is stolen, you change it. Problem solved.
Credit Card Compromise
If your card is stolen, you cancel it and receive a new number.
Biometric Compromise
If your fingerprint data is stolen, you can't get new fingerprints. The compromise is permanent.
This asymmetry justifies stricter consent requirements, retention limits, and prohibition on sale. Once biometric data escapes proper controls, the affected individual has no recourse.
Security breaches involving biometric databases create particular concern. Unlike other personal information, biometrics can't be replaced, making breach harm permanent and unfixable.
Protecting Your Biometric Data
Individuals can take steps to protect biometric information:
Ask Why Biometrics Are Necessary
When asked to provide fingerprints, facial scans, or other biometrics, ask why the collection is necessary. Is there a less invasive alternative? Many biometric conveniences aren't actually required.
Request Written Policies
Under BIPA and similar laws, you have the right to see retention and destruction schedules. Request these documents. If a company can't provide them, they may not be compliant.
Refuse Unnecessary Collection
You can often decline biometric collection. Gyms must provide non-biometric alternatives for membership. Workplaces may have opt-out options. Don't assume biometrics are mandatory.
Check for BIPA Compliance Notices
Illinois businesses using biometrics should display BIPA compliance notices. Absence of these notices may indicate non-compliance—and litigation risk.
Opt Out of Photo Tagging
Social media platforms now offer facial recognition opt-outs. Disable these features to prevent biometric collection from photos others upload.
Support Stronger Laws
If you don't live in Illinois, your biometric protections may be weaker. Support legislative efforts to expand BIPA-style protections to other states.
Business Compliance Checklist
For businesses using biometric technologies, compliance requires systematic attention:
Determine Applicability
Does your biometric use trigger BIPA, CUBI, CCPA, or other applicable laws? Multi-state operations face overlapping requirements.
Implement Consent Procedures
Establish written notice and consent processes. Don't rely on general terms of service—create specific biometric disclosures.
Publish Retention Schedules
Develop and publish clear policies about how long biometric data will be retained and when it will be destroyed.
Implement Security Measures
Protect biometric data with security measures at least as strong as those protecting other sensitive information. Encryption, access controls, and audit trails are essential.
Review Vendor Agreements
If using third-party biometric systems, ensure vendor contracts address compliance obligations. Vendor failures can create liability for the implementing company.
Monitor Legislative Changes
Biometric privacy law evolves rapidly. New states add requirements regularly. Compliance programs must adapt to expanding obligations.
The Future of Biometric Privacy
Biometric privacy law will continue evolving rapidly:
Expansion of State Laws
Expect more states to adopt biometric privacy legislation. Some will follow BIPA's private right of action model. Others will adopt attorney general enforcement frameworks.
Federal Legislation Possibility
While comprehensive federal privacy legislation remains stalled, biometric-specific federal rules may emerge. Current federal proposals generally preempt less protective state laws—a concern for BIPA supporters.
Emerging Technologies
New biometric modalities—gait recognition, DNA analysis, behavioral biometrics—will challenge existing legal frameworks. Courts and legislatures will struggle to apply old definitions to new technologies.
International Standards
GDPR and other international privacy frameworks address biometrics within broader personal information definitions. Expect continued convergence and divergence between US state laws and international standards.
Conclusion
Biometric data privacy represents a critical intersection of technology capability and legal protection. Illinois BIPA demonstrated that strong privacy laws with private enforcement mechanisms can reshape industry practices. The $650 million Facebook settlement wasn't just compensation—it was a warning.
The irreversibility of biometric compromise justifies heightened legal protection. Unlike passwords or account numbers, biometrics can't be changed. Once compromised, the harm is permanent. This reality drives BIPA's consent requirements, retention limits, and prohibition on sale.
For individuals, biometric awareness means questioning unnecessary collection, demanding transparency, and exercising opt-out rights when available. For businesses, compliance requires treating biometric data as the high-risk category it is—implementing specific consent processes, clear retention policies, and strong security measures.
As biometric collection becomes ubiquitous—unlocking phones, accessing workplaces, authenticating payments—the legal frameworks governing these practices become increasingly consequential. Illinois led with BIPA. Other states are following. And the companies that treat biometric privacy as a compliance obligation rather than an afterthought will navigate this landscape successfully.
The $650 million message is clear: biometrics deserve special protection, violations carry massive costs, and informed consent isn't optional. For anyone collecting, using, or subject to biometric data processing, that message should guide every decision.
Related Articles:
- Privacy Policy Red Flags to Watch For
- Data Retention Policies: Why "Deleted" Doesn't Mean Gone
- Location Data Privacy: How Your Morning Jog Revealed Your Job
Sources:
- 740 ILCS 14 (Illinois BIPA)
- Texas CUBI (Texas Business and Commerce Code Chapter 503)
- Facebook BIPA Settlement (2021)
- TikTok BIPA Settlement (2021)
- Google BIPA Settlement (2022)
- CCPA/CPRA Biometric Provisions