The risks and rewards of biometric data

The collection of biometric information is becoming more prevalent in the credit union industry and in fintech as a whole. Consumers cannot easily change biometric information about themselves; therefore, theft of biometric information is among the most serious of all data breaches. As a result, several states have enacted laws regulating the capture and storage of biometric data. Even in states without laws specifically relating to biometric information, loss of biometric data can result in negligence lawsuits against the organization that held the data.

Risks of collecting biometric data

At the end of 2022, two cases helped illustrate some of the risks when acquiring biometric data. In October 2022, the Attorney General sued Google on the basis of Google’s alleged failure to (1) obtain informed consent from Texas citizens regarding the use of facial and voice biometric information through Google’s applications, and (2) failure to delete the biometric information in a reasonable time. Texas is one of the states that regulate the capture, use, and disposal of biometric information, and this is the first lawsuit against a company under this law. Google faces civil penalties of up to $25,000 per violation.

Another first in biometric litigation occurred in October when an Illinois jury found a company violated the Illinois Biometric Information Privacy Act (“BIPA”) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without informed, written consent. The case was a class action lawsuit and the first jury verdict rendered under BIPA. The federal judge assigned to the case awarded the plaintiff-class a judgment totaling $228 million. Given the size of the verdict, this case will almost certainly be appealed or settled.


continue reading »