Biometric Privacy Compliance Tips

Practical Compliance Tips: Portland Private-Sector Facial Recognition Ban

David J. Oberly |

The city of Portland, Oregon, made headlines last year when it became the first jurisdiction in the nation to enact a blanket ban on the use of facial recognition technology (“FRT”) by all private entities physically located within its city limits. While many cities have banned the use of face biometrics by law enforcement and parts of the public sector, the Portland ordinance is noteworthy because it drastically expanded the scope of this new type of regulation to also reach the private sector.

Since that time, the city of Baltimore, Maryland, followed suit with a similar private-sector facial biometrics ban of its own. More jurisdictions, including both cities and potentially states as well, are likely to add new laws mirroring those of Portland and Baltimore in the immediate future, especially as facial recognition continues to receive regular negative media coverage highlighting its claimed shortcomings, including potential accuracy and bias problems.

Combined, all companies that operate in Portland and use any type of software or other technology that may capture images of individuals’ faces should evaluate whether the new ordinance applies to them and, if so, take immediate action to ensure compliance with the law. And from a broader perspective, as this draconian type of biometric privacy regulation is likely expand to additional parts of the country moving forward, companies that use or intend to use any type of facial recognition technology need to familiarize themselves with this new type of biometrics regulation and consider taking proactive steps to minimize their anticipated liability exposure.


  • Scope/Applicability: The Portland ordinance bars the use of “facial recognition technologies” by “private entities” in “places of public accommodation” within the City of Portland.
  • “Private Entity”: The ordinance defines the term “private entity” in similar fashion to the Illinois Biometric Information Privacy Act (“BIPA”) as “any individual, sole proprietorship, partnership, limited liability company, association, or any other legal entity, however organized.”
  • “Face Recognition Technologies”: Face recognition technologies means “automated or semi-automated processes using Face Recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual or capturing information about an individual based on an individual’s face.”
  • “Face Recognition”: Face recognition, in turn, is defined as “the automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search).”
  • “Places of Public Accommodation”: “Places of public accommodation” is defined broadly to mean “[a]ny place or service offering to the public accommodations, advantages, facilities, privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”


  • Certain Places of Public Accommodation: Excluded from the scope of the ordinance are “institution[s], bona fide club[s], private residence[s], [and] place[s] of accommodation that [are] in [their] nature distinctly private.”
  • Legal Compliance: The ordinance does not apply to the use of FRT to the extent necessary to comply with federal, state, or local laws.
  • User Verification: The ordinance does not apply to the use of FRT for user verification purposes, but only in the narrow context of allowing an individual to access his or her individual or employer-issued communication or electronic device.
  • Automatic Face Detection: Finally, the ordinance does not apply to the use of FRT “[i]n automatic face detection services in social media applications.”

Core Compliance Requirement

  • Prohibition on FRT Use: Under the ordinance, private entities are barred from using face recognition technologies in places of public accommodation within city limits.

Enforcement and Remedies

  • Private Right of Action: Any person “injured” by a material violation of the ordinance may pursue class action against the offending private entity.
  • Recoverable Damages: A person injured by a violation of the ban can recover $1,000 per day for each day of the violation or actual damage sustained as a result of the violation, whichever is greater, as well as “such other remedies as may be appropriate.”
  • Attorneys’ Fees: Attorneys’ fees are also recoverable, but only if certain actions are taken by the injured person before filing suit. Specifically, a plaintiff must submit a written demand for the payment of a claim on the offending private entity and its insurer (if known to the plaintiff) at least 30 days before the filing of the complaint. Where this is completed, a court may award to a prevailing plaintiff a “reasonable amount” of attorneys’ fees. Conversely, a plaintiff cannot recover attorneys’ fees if, before suit was filed, the offending private entity tendered to the plaintiff an amount that is at least equivalent to the damages awarded to the plaintiff in the litigation, exclusive of any costs, interest, and prevailing party fees.

Practical Compliance Tips & Best Practices

For companies operating in Portland, immediate action should be taken if not already done so to ensure compliance with the city’s FRT ban. Companies should consider the following action steps to determine the applicability of the ban to their operations and to come into compliance with the Portland ordinance if the organization falls under the scope of the law:

  • Determine Whether Technology Falls under Scope of Law: First, companies should determine if their technology falls under the scope of the law. To do so, the system must engage in identifying, verifying, detecting, or characterizing facial features or capture information about an individual based on his or her facial features.
  • Evaluate Applicability of Exceptions to Ban: If the technology is found to fall under the scope of the ban, the next step is to evaluate whether any of the limited exemptions offered by the ordinance can be satisfied to allow the company to continue its use of the technology.
  • Cease All Use of FRT If No Exceptions Apply: If none of the exceptions apply, the company must immediately cease all use of its FRT technology.
  • Identify Availability of Any Suitable Alternative Technologies: At the same time, companies that are no longer permitted to use their current FRT technology should evaluate whether any alternative technologies can be implemented to accomplish the same objectives—such as identification, verification/authentication, or security—for which facial recognition was used.
Biometric Privacy Compliance Tips Case Law Developments Legislative Developments & Trends

Current BIPA Trends: Class Actions Targeting the Use of Voice Data

David J. Oberly |

2021 has brought with it a sizeable expansion in the types of technology and companies that are now being targeted with bet-the-company Illinois Biometric Information Privacy Act (“BIPA”) class action lawsuits. The first major expansion involved the targeting of virtual try-on technology, a feature made even more popular during the COVID-19 pandemic, which, according to plaintiffs, utilizes facial recognition technology. More recently, a high volume of BIPA class action suits have been filed targeting the use of voice-powered technologies.

BIPA & Voice Data

BIPA regulates the collection, use, and storage of “biometric identifiers,” which includes—among other things—“voiceprints.” However, the term “voiceprint” is not defined in Illinois’ biometric privacy statute. “Voiceprint” is generally defined as a distinctive pattern of curved lines and whorls made by a machine that measures human vocal sounds for the purpose of identifying an individual speaker. It is this hallmark of identifying (or verifying the identity of) an individual that makes voice data a “voiceprint” under BIPA. In this respect, courts have noted that voice biometrics, also known as voiceprinting, is the use of biological characteristics—one’s voice—to verify an individual’s identity.

Thus, a critical distinction exists between general voice data, which is not covered by BIPA, and voiceprint, which fall under the scope of Illinois’ biometric privacy statute—with the important dividing line being the identifying quality of the biometric information. In a 2017 case, an Illinois federal court recognized this distinction, noting the difference between the mere capture of voice data and an actual “voiceprint.” In doing so, the court noted that if an entity simply captures a person’s voice without generating a voiceprint for the specific purpose of identifying ,or verifying the identity of, an individual, then there is no violation of BIPA.

Case Law Developments Class Action Litigation Defense Strategies

Designing a BIPA Defense: Biometric Manufacturer & Vendor Litigation Strategies

Amanda M. Noonan |

Class action litigation against biometric technology manufacturers and vendors is on the rise. Several courts have recognized the viability of such claims and held manufacturers/vendors may be subject to liability under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act (“BIPA”). 740 ILCS 14/15(b) & (d); Figueroa v. Kronos Inc., 454 F. Supp. 3d 772, 784-86 (N.D. Ill. 2020). The merits of these BIPA claims are yet undetermined. But the risk of having to defend such claims in state and federal courts is real and ongoing.

As the saying goes, the best defense is good offense. Rather than face uncertain liability, or incur exorbitant litigation defense costs, potential BIPA defendants often turn to arbitration provisions. For manufacturers/vendors of biometric technology, however, this approach may not be that simple.


Practical Compliance Tips: New York City “Commercial Establishments” Biometric Privacy Law

David J. Oberly |

New York City (“NYC”) has quickly become one of the newest hotbeds of biometric privacy legislative activity, having enacted several laws since the start of 2021 that directly govern the collection and use of biometric data.

In addition to the New York City Tenant Data Privacy Act (“TDPA”), which regulates the use of biometric data by owners and operators of “smart access buildings,” New York City Council also enacted the nation’s first municipal-level biometric privacy law regulating “commercial establishments” (the “NYC Biometrics Ordinance”), which went into effect on July 9, 2021.

Because the NYC Biometrics Ordinance will almost certainly not be the last of its kind, commercial establishments that utilize biometric data in their business operations—even those located beyond the borders of the Big Apple—should take proactive steps to implement robust biometric privacy compliance programs to ensure continued compliance with current and anticipated biometrics laws to mitigate potential liability exposure.


  • Scope/Applicability: The NYC Biometrics Ordinance applies to the collection and use of “biometric identifier information” by “commercial establishments.”
  • “Biometric Identifier Information”: Biometric identifier information is defined in broad terms as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
  • “Commercial Establishment”: Commercial establishment is broadly defined to mean “a place of entertainment, a retail store, or a food and drink establishment.”
Case Law Developments

Illinois Appellate Court Clarifies Applicable Limitations Period in BIPA Class Action Litigation

David J. Oberly |

On September 17, 2021, the Illinois Appellate Court First District delivered its much-anticipated decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sep. 17, 2021), addressing the applicable statute of limitations for causes of action asserted under the Illinois Biometric Information Privacy Act (“BIPA”).

The court held that claims brought under Sections 15(a), (b), and (e)—pertaining to the law’s privacy policy/data destruction, notice/consent, and data security requirements—are subject to a five-year statute of limitations. Conversely, claims asserted under Sections 15(c) and (d)—relating to the law’s ban on profiting from biometric data and disclosure limitations—are subject to a one-year limitations period.

Importantly, in finding that BIPA’s two most commonly asserted provisions, Sections 15(a) and (b), are subject to the longer five-year limitations period, the opinion ensures that the tsunami of class action BIPA filings will continue to flood the courts for the foreseeable future.

The Lighter Side of Biometrics

Welcome to Biometric Privacy Insider!

Jeffrey N. Rosenthal |

Welcome to the inaugural blog post of the Biometric Privacy Insider!

Authored by Blank Rome LLP’s dedicated Biometric Privacy Team—seasoned privacy, cybersecurity, artificial intelligence, and class action attorneys from around the country—the Biometric Privacy Insider is a one-stop destination for all things biometrics. Readers can expect the same in-depth analysis that has become the hallmark of our scholarship and speaking engagements, but in more bite-sized tidbits designed for regular consumption. Our goal is to help readers stay abreast of legal trends, technological developments, compliance options, legislative action, and strategies to avoid certain pitfalls when using or implementing biometrics. But that is not to say there isn’t room for some levity now and again too!

At its core, biometrics is the use of immutable human characteristics—such as a person’s voice, fingerprint, handprint, facial geometry, iris, etc.—for purposes of identification and/or authentication. And while recent technological advancements in the field of biometrics have changed the way we travel, pay for goods and services, access sensitive data, and protect our identities online, the use of biometrics also comes with legal risks as lawmakers across the country pass laws regulating this technology. To date, several states have enacted targeted biometrics laws, including the well-known Illinois Biometric Information Privacy Act. Others have ramped up efforts to enact similar laws of their own. While still other states are encompassing biometric data within their new, broader consumer privacy statutes and/or amending data breach notification statutes to make existing laws applicable to biometrics. As a result, the commercial use of biometric data has led to a significant wave of class action litigation for alleged technical missteps—a trend that will continue, if not increase, during the foreseeable future.

The recent advancement of technology and artificial intelligence, coupled with the growing utilization of biometric data, has forced clients to address and minimize the risks associated with biometric privacy regulatory compliance, enforcement, and litigation. This blog will examine these emerging issues and provide practical guidance for businesses seeking to navigate the myriad biometric privacy laws. Our team is thrilled to use this platform to share our perspectives on timely topics, including compliance best practices, emerging legal trends involving biometrics laws and technology around the country and the world, risk mitigation, and litigation strategy.

Whether you’re looking for a welcome distraction, or a call to action; an industry trend, or what the case law portends; compliance advice, or insight on a new biometric device; a discussion of some new technology, or just some folly, the Biometric Privacy Insider has you covered! We invite you to join us as we navigate the myriad opportunities and challenges associated with the ever-expanding and fascinating world of biometrics!


Practical Compliance Tips: Texas Capture or Use Biometric Identifier Act (“CUBI”)

David J. Oberly |

For some time now, the well-known Illinois Biometric Information Privacy Act (“BIPA”)—discussed in this previous blog post—has garnered much of the spotlight in the area of biometric privacy. What many are unaware of, however, is that several similar state-level biometric privacy laws are also currently in effect in other parts of the country. One of those laws is Texas’ Capture or Use of Biometric Identifier Act, Tex. Bus. & Comm. § 503.001 (“CUBI”). While not as threatening to businesses that use biometrics in their operations as its Illinois counterpart, CUBI nonetheless poses substantial liability exposure risk for noncompliance.


  • Scope of Applicability to Businesses: CUBI applies to the collection of “biometric identifiers” for a “commercial purpose.”
  • “Biometric Identifier”: Biometric identifier means a “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.”
  • “Commercial Purpose”: “Commercial purpose” is defined by the statute. In the absence of additional guidance, companies should assume a commercial purpose includes any business purpose or related purpose tied to company operations.

Practical Compliance Tips: Illinois Biometric information Privacy Act (“BIPA”)

Jeffrey N. Rosenthal |

Of all the targeted state biometric laws currently on the books, none poses more of an existential threat to companies than the Illinois Biometric Information Privacy Act (“BIPA”). BIPA has recently become the darling of the plaintiffs’ bar and the preferred statute under which bet-the-company class actions are being filed. If you have a presence in Illinois and use biometrics in your operations, chances are reasonably good you will be facing down a BIPA complaint at some point. But don’t despair! There are several proactive compliance steps to mitigate or, ideally, avoid such liability. And even after a case has been filed, there are several established (and even more developing) defenses available to minimize liability or obtain an outright dismissal. For example, having an enforceable arbitration agreement can be one of the most effective ways to mitigate the ever-increasing scope of biometric privacy exposure.

At their core, biometric systems analyze unique physical/behavioral human characteristics to identify and verify the identities of individuals. In our personal lives, this means using our faces to unlock our phones, or our eyes to unlock our homes. In our professional lives, companies may be verifying customer identities via facial scans or voice recognition software, or using employee fingerprints to track time and attendance, just to name a few.