November 11, 2021 |

Basics of Biometric Data. Part 2.

Understanding Legal Regulations: Evolving Regulations in Different Jurisdictions

European Union

The EU’s General Data Protection Regulation (GDPR) classifies biometric data as a special category of personal data and prohibits it unless the system’s end user provides explicit consent.

GDPR regulates activities of companies outside the EU if the company:

  • Offers goods or services to EU citizens.
  • Monitors the behavior of EU citizens.

Therefore companies outside of the EU who have a multinational consumer base must also be aware of and adhere to GDPR compliance.

In addition to the GDPR regulations, there has been increasing scrutiny in the EU as the European Commission (EC) registered a European Citizens’ Initiative (ECI) on January 7, 2021, called “Civil society initiative for a ban on biometric mass surveillance practices.” The initiative requests the EC to prohibit random targeted uses of biometric data, which they believe undermines the fundamental rights of EU citizens.

On April 23, 2021, the European Data Protection Supervisor (EDPS) declared that it would continue to advocate for a stricter approach to automated recognition in public spaces. They noted that biometric identification may contribute to unprecedented developments and present extremely high risks of non-democratic intrusion into private lives.


Illinois was one of the first states in the USA to address biometric privacy with the passage of the Biometric Information Privacy Act (BIPA) in 2008. BIPA defines biometric identifiers as a retina or iris scan, fingerprint, voiceprint, or a scan of hand or face geometry.

BIPA includes five key requirements that an entity collecting biometric information from a data subject must follow, including:

  • Providing written notice and receiving a written release prior to collecting biometric information.
  • Prohibiting the entity from profiting or disseminating the biometric information.
  • Requiring the entity to implement a reasonable standard of care for security protection.
An individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person.

BIPA also provides for a private right of action, allowing any person aggrieved by a violation of BIPA to have a right of action against an offending party. This has already led to several class action lawsuits being filed in Illinois.

Notably, in January 2019, the Illinois Supreme Court in Rosenbach v Six Flags Entertainment Corporation, held that:

“An individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person.”

A subsequent class action settlement of $36 million was approved for all people who visited and were forced to provide a fingerprint scan to enter the Six Flags Gurney park between October 1, 2013 and December 31, 2018. Legislatures in New York and Maryland have now proposed similar legislations.


The California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) includes all categories of biometric information, unlike the Illinois BIPA, which focuses on physical biometrics.

CPRA classifies the processing of biometric information for uniquely identifying a consumer as sensitive personal information and as a result, people have the right to limit the use and disclosure of their data.

The CCPA and CPRA provide only a limited private right of action for those seeking damages from misappropriated biometric information. An aggrieved person may only seek damages if personal information is subject to unauthorized access as a result of a business’s violation of the duty to implement and maintain reasonable security procedures.

What Does This Mean For Companies Using Biometrics?

The collection and protection of data is a major topic of interest that is increasingly prominent in both the legal and news spotlights. Companies can expect heightened scrutiny of technologies offered that leverage biometric data as part of their authentication processes and service offerings.

On August 13, 2021, U.S. Senators Amy Klobuchar, Bill Cassidy, and Jon Ossoff announced a letter to the President and CEO of Amazon Inc., on its biometric data collection practices relating to Amazon One, a palm-print recognition and payment system. The letter expressed concerns about how Amazon intends to use data gathered by Amazon One and its security of the biometric data.

As personal data is regarded as a leading form of currency for businesses, companies must maneuver the prominent legal implications relating to its protection. From utilizing identity verification tools to collecting, analyzing, and sharing data, mitigating the risks of data privacy and protection requires a responsive legal strategy.

Refining your Privacy Strategy with Experts at Han Santos

As biometric data becomes an increasing area of interest to Han Santos and our clients, we will be leading a series of discussions and articles on legal issues related to data considerations for Mergers & Acquisitions, Privacy & Cybersecurity, IP & Trade Secrets, litigation and more.


Use of, access to, and information exchanged on this web page or any of the e-mail links contained within it cannot and does not create an attorney-client relationship between Han Santos, PLLC, and the user or browser. Please do not post any personal or confidential information. You should contact your attorney to obtain advice with respect to any particular issue or problem. Contact us for additional information. One of our lawyers will be happy to discuss the possibility of representation with you. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.