‘Sue First, Ask Questions Later’: Biometric Data Collection Could Cost CRE Millions — Even If It Follows The Rules

Biometric building access controls have become increasingly popular among security-minded residential and commercial property managers, but the legal risks of collecting and using this data are growing. 

A new surge in class-action lawsuits over biometric data collection under the Illinois Biometric Information Privacy Act, also known as BIPA, is leaving CRE operators vulnerable to liabilities totaling millions in damages and legal fees — even if they aren't doing anything wrong.

The Illinois statute is also setting a precedent for robust copycat laws that other states are considering passing, as well as potential federal legislation. 

“Plaintiffs' lawyers, if they see biometric information collection, they might just sue first and ask questions later,” said D. Reed Freeman Jr., a partner in the Washington, D.C., office of ArentFox Schiff LLP. “You could be completely compliant with the law and find yourself having to defend litigation and then prove that you're compliant.”

At least 2,000 suits had been filed as of earlier this year under BIPA since 2018, and legal experts told Bisnow the pace is only accelerating. This includes several high-profile, expensive settlements, like the $725M Facebook paid out in October after settling a class-action suit over allegations of biometric privacy law violations through facial recognition technology.

Commercial real estate is especially vulnerable to such suits, having enthusiastically implemented smart building technology in recent years. About 78% of business and property owners surveyed have adopted some form of the technology to drive energy efficiency, lower costs, decrease carbon emissions and manage return to work, according to a May survey from Toggled, a subsidiary of technology company Altair.

A separate survey from cloud-based access control company Brivo this spring found that 40% of respondents already use smartphone biometric security at all access points, and 60% are considering adding biometrics to their buildings in the next three years. Eighty percent said they would likely adopt face-based recognition tech if research showed it was affordable and widely adopted.

BIPA requires companies that collect biometric data like fingerprints and face scans to get written consent from employees and customers and create a written policy about its collection, retention and destruction. 

Although the Illinois Legislature passed BIPA 15 years ago, it has garnered attention of late with the increasingly widespread use of biometric technology and because of two decisions earlier this year by the Illinois Supreme Court. 

The first ruling found the law provided for a five-year statute of limitations on lawsuits against companies that collected biometric information from employees or customers without proper notice — instead of the one-year time limit argued by the business community.

In the second finding, one that could mean big payouts ahead, the court also ruled that each time a company collects someone’s biometric data in violation of the law, a separate claim for damages accrues. Under BIPA, that means $1K in damages for each “negligent” violation or $5K for each “reckless” or “intentional” violation.

“The upshot is that every single data collection creates another cause of action, and the court itself alluded to this as creating annihilative liability,” Goodwin Law partner Omer Tene said of the potentially crippling financial fallout of violations. “This is the term the court used, not me.” 

Even if a commercial real estate stakeholder doesn’t have any connections to Illinois or collect any data in the state, they still should be paying attention to developments in a rapidly changing legal landscape.

Especially this year, state privacy laws have been popping up “like mushrooms after the rain,” Tene said. 

As of December, there are 12 states with general privacy laws that include sections on biometric data collection, Tene said. Texas, Washington and Illinois have specific biometric data privacy laws, he said, while New York City passed a tenant-specific biometric law that imposes consent requirements on smart access buildings. 

National privacy protections could be coming as well. Congress was close to passing a federal privacy law last year that ended up fizzling out, but it could reemerge in the future, Tene said. 

“It's important to pay attention to the legal landscape of what laws are currently being considered, because this may change rapidly in the next few years,” Goodwin Law associate Joshua Fattal said.

For now, BIPA’s unique enforcement mechanism is what poses a substantial risk for commercial real estate entities that collect biometric data. Biometric privacy laws in Texas and Washington rely on regulators like the Federal Trade Commission or the state’s attorney general as enforcers, and privacy concerns don’t generally rise to the top of their agenda, Tene said.  

But with BIPA, any individual can file a lawsuit over the improper collection and mishandling of biometric data, Tene said. This opens the door for opportunistic class-action plaintiffs to “weaponize” the mechanism against certain businesses, he said. 

“Even if you have a very good case and ultimately, in some court a few years down the road, you will win, you will bleed dollars for legal defense, and it'll just be a huge pain to deal with,” Tene said. 

Still, there are good reasons some commercial real estate operators may want to use biometric identifiers. 

Some cloud-based access control systems can utilize the security credentials people use every day on their smartphones, granting users greater flexibility and ease of use in a space, said Kerstin Demko, vice president of marketing at Brivo.

“Overall, systems that use smartphones can reduce both hassles and costs for businesses and their employees,” Demko previously told Bisnow. “Onboarding can be handled remotely, and users are much less likely to lend their smartphone to someone else, making businesses and spaces more secure.”

Biometric technology can also more precisely prevent unauthorized individuals from entering secured areas or give more insight into who is on the property and where they are located. For instance, the software might alert system administrators that the company’s CEO is on the premises or that a former employee — now on a list of banned individuals — has entered the building and may pose a threat, according to a Princeton Identity report. 

CRE stakeholders who still want to use biometrics have tools to protect themselves from legal challenges.

First and foremost, businesses should make sure they are getting the appropriate “prior express written consent” before collecting biometric data, Fattal said. The key for the consent language is to be thorough and to address elements like the data disclosure and retention policy, as well as what access an individual has to that data, he said.

“It's really making sure that a consent mechanism is in place, but also that it's robust enough to withstand challenge,” Fattal said.

To deter frivolous litigation from opportunistic plaintiffs' attorneys, businesses should make it clear on their user interfaces that they understand biometrics law and their compliance obligations, Freeman said. Externally facing communication about a business’s preparedness for a lawsuit can discourage attorneys looking for fast cash, he said. 

“I think of the plaintiffs' bar as like investors,” he said. “Some cases are going to make them a lot of money. Some cases are going to pay the bills with maybe lower settlements. Why would they invest in a case that's going to be difficult and that they might lose?”

But some businesses shouldn’t use biometric identification at all.

Smaller businesses, in particular, should be careful before using biometric identifiers because they are less likely to be able to withstand the legal costs of a related lawsuit in the same way a larger company could, Freeman said.

“There is a tax associated with using biometric identifiers, and the tax might be the cost of litigation defense, even if you've complied with the law,” Freeman said. “A small company that may not be able to afford that tax might want to think twice about it, at least until the dust settles on this.”

It is also important to offer alternatives for employees and customers who want to enter a building but don’t want to provide biometric identifiers, Tene said, suggesting they carefully consider if the usage of biometric data is worth the risk.

“My advice to a property owner would be: If you roll this out in Illinois, certainly don't even think of doing it without consulting a lawyer who is steeped in privacy and biometric privacy,” Tene said. “Even consider just not doing it in Illinois, because there is some residual risk that is going to be very difficult to completely mitigate by contracts or consent.”