San Diego Businesses: Is it Time to Say “No” to Biometrics?
In our modern world, businesses have a tendency to think that every new technology is the “wave of the future” and the “key” to efficiencies, profits, and success. But, occasionally, certain technologies are just too fraught with legal risks and, maybe your business should just say “no.” Biometrics may be one of those technologies. Maybe using fingerprints as door locking and security saves the company a few thousand dollars a year, but maybe litigation and lawsuits will cost the company hundreds of thousands of dollars. Is it time to say “no” to biometrics? If you are currently using biometric data or if you are thinking of using biometrics, it might be wise to see advice and counsel from an experienced San Diego corporate attorney.
Legal Dangers With Biometrics: What Has Changed?
Several important legal and real-world factual changes have occurred in the last few years that have cast doubt on the economic viability of biometric technology. First, businesses are confronted with huge cost risks associated with data breaches and successful hacking attacks. These have become all too common lately. The most famous recent example is Equifax’s data breach back in 2017. See news report here.
Since the breach, Equifax has spent hundreds of millions of dollars fixing the problem, defending lawsuits, responding to governmental inquiries, and dealing with public and customer relations. The breach will likely cost $500 million or more by the time all the issues are finally resolved. According to reports, only $125 million of that cost will be covered by insurance.
Second, businesses are confronted with new large cost risks associated with failure to obtain proper and full consents from customers and employees. California recently passed the California Consumer Privacy Act. See Cal. Civ. Code, § 1798.100 et seq. This Act contains a very broad definition of biometric data. Consent must be obtained prior to collecting and storing the biometric data and disclosures must be given. Failure to obtain the full and proper consents and failure to fully disclose will potentially lead to massive class action lawsuits and action by the California Attorney General. Illinois has had a statute protecting biometric data privacy for some years and businesses are reeling under the costs of dealing with the lawsuits. As we discussed here, the Illinois Supreme Court recently held that no actual harm is required for customers to sue for violation of the Illinois biometric privacy statute. See Rosenbach v. Six Flags Entertainment Corporation, Case No. 2019 IL 123186 (Ill. Supreme Court January 25, 2019). Already, a surge of class action lawsuits has resulted from the Rosenbach decision.
Third, what is required practically in the real world of business is in flux as legislators and judges consider definitions and case-by-case business behavior. Hundreds of lawsuits are inevitable involving whether this or that form was good enough to qualify as “consent” under the statutory definitions. With websites, issues will arise about the Terms of Service Agreements and whether a click on a box on a website is good enough for disclosure and obtaining consent. How about litigating the argument that customer/employee consented by their various behaviors? Under California law, one can consent to a contract by a course of behavior. The point is, no one knows for sure what is actually required for the consents and disclosures and, if you get sued, your business is going to be paying a lot in legal fees and in potential judgments. That is a lot of downside risk. Do you want your business to be a legal guinea pig?
Until the law is more settled, maybe it is better to say “no” to biometrics. At minimum, ask yourself whether collecting biometric data is truly necessary for your business. Under current conditions, the potential downside risks have to be weighed against the potential benefits. The Rosenbach case is a good example. The defendant was Six Flags Amusement Park and the biometric data collected was fingerprint. Use of fingerprint data was begun as an effort to curtail cheating for customers buying all-summer-season passes. Cheating was a common problem where one customer would buy a season pass, but share the pass with several friends during the summer. Using photo-identification was time-consuming, was off-putting to customers and was not entirely effective. So, using biometric data had a big upside for the company. But now, the company is embroiled in a massive class action lawsuit. When the decision was made to use biometrics, it might have been a sound decision, but maybe not in hindsight.
Contact San Diego Corporate Law Today
If you would like more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters and he proudly provides legal services to business owners in San Diego and the surrounding communities. Like us on Facebook.