The Lighter Side of Biometrics

Welcome to Biometric Privacy Insider!

Jeffrey N. Rosenthal |

Welcome to the inaugural blog post of the Biometric Privacy Insider!

Authored by Blank Rome LLP’s dedicated Biometric Privacy Team—seasoned privacy, cybersecurity, artificial intelligence, and class action attorneys from around the country—the Biometric Privacy Insider is a one-stop destination for all things biometrics. Readers can expect the same in-depth analysis that has become the hallmark of our scholarship and speaking engagements, but in more bite-sized tidbits designed for regular consumption. Our goal is to help readers stay abreast of legal trends, technological developments, compliance options, legislative action, and strategies to avoid certain pitfalls when using or implementing biometrics. But that is not to say there isn’t room for some levity now and again too!

At its core, biometrics is the use of immutable human characteristics—such as a person’s voice, fingerprint, handprint, facial geometry, iris, etc.—for purposes of identification and/or authentication. And while recent technological advancements in the field of biometrics have changed the way we travel, pay for goods and services, access sensitive data, and protect our identities online, the use of biometrics also comes with legal risks as lawmakers across the country pass laws regulating this technology. To date, several states have enacted targeted biometrics laws, including the well-known Illinois Biometric Information Privacy Act. Others have ramped up efforts to enact similar laws of their own. While still other states are encompassing biometric data within their new, broader consumer privacy statutes and/or amending data breach notification statutes to make existing laws applicable to biometrics. As a result, the commercial use of biometric data has led to a significant wave of class action litigation for alleged technical missteps—a trend that will continue, if not increase, during the foreseeable future.

The recent advancement of technology and artificial intelligence, coupled with the growing utilization of biometric data, has forced clients to address and minimize the risks associated with biometric privacy regulatory compliance, enforcement, and litigation. This blog will examine these emerging issues and provide practical guidance for businesses seeking to navigate the myriad biometric privacy laws. Our team is thrilled to use this platform to share our perspectives on timely topics, including compliance best practices, emerging legal trends involving biometrics laws and technology around the country and the world, risk mitigation, and litigation strategy.

Whether you’re looking for a welcome distraction, or a call to action; an industry trend, or what the case law portends; compliance advice, or insight on a new biometric device; a discussion of some new technology, or just some folly, the Biometric Privacy Insider has you covered! We invite you to join us as we navigate the myriad opportunities and challenges associated with the ever-expanding and fascinating world of biometrics!


Practical Compliance Tips: Texas Capture or Use Biometric Identifier Act (“CUBI”)

David J. Oberly |

For some time now, the well-known Illinois Biometric Information Privacy Act (“BIPA”)—discussed in this previous blog post—has garnered much of the spotlight in the area of biometric privacy. What many are unaware of, however, is that several similar state-level biometric privacy laws are also currently in effect in other parts of the country. One of those laws is Texas’ Capture or Use of Biometric Identifier Act, Tex. Bus. & Comm. § 503.001 (“CUBI”). While not as threatening to businesses that use biometrics in their operations as its Illinois counterpart, CUBI nonetheless poses substantial liability exposure risk for noncompliance.


  • Scope of Applicability to Businesses: CUBI applies to the collection of “biometric identifiers” for a “commercial purpose.”
  • “Biometric Identifier”: Biometric identifier means a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”
  • “Commercial Purpose”: “Commercial purpose” is defined by the statute. In the absence of additional guidance, companies should assume a commercial purpose includes any business purpose or related purpose tied to company operations.

Practical Compliance Tips: Illinois Biometric information Privacy Act (“BIPA”)

Jeffrey N. Rosenthal |

Of all the targeted state biometric laws currently on the books, none poses more of an existential threat to companies than the Illinois Biometric Information Privacy Act (“BIPA”). BIPA has recently become the darling of the plaintiffs’ bar and the preferred statute under which bet-the-company class actions are being filed. If you have a presence in Illinois and use biometrics in your operations, chances are reasonably good you will be facing down a BIPA complaint at some point. But don’t despair! There are several proactive compliance steps to mitigate or, ideally, avoid such liability. And even after a case has been filed, there are several established (and even more developing) defenses available to minimize liability or obtain an outright dismissal. For example, having an enforceable arbitration agreement can be one of the most effective ways to mitigate the ever-increasing scope of biometric privacy exposure.

At their core, biometric systems analyze unique physical/behavioral human characteristics to identify and verify the identities of individuals. In our personal lives, this means using our faces to unlock our phones, or our eyes to unlock our homes. In our professional lives, companies may be verifying customer identities via facial scans or voice recognition software, or using employee fingerprints to track time and attendance, just to name a few.