Biometric Data Collection: A Significant Risk for the Real Estate Industry

Biometric building access controls (i.e., “smart access” technologies) have become increasingly popular among residential and commercial property managers for the enhanced security benefits that these solutions provide. The benefits must be weighed against the potential legal risks associated with the collection and use of biometric data, which can be significant when rules governing the collection and processing of biometric data are not followed.

Biometric technologies may collect fingerprints, facial features, voiceprints, or other biometric data to verify the identity of residents and employees who enter or move through a facility. These biometric technologies are subject to increasing litigation and regulatory enforcement. To combat potential risks, property owners and managers should take proactive steps to become familiar with the compliance considerations associated with biometric data collection.

What Legal Risks Are Associated With Biometric Data Collection?

There has been a recent uptick in class-action lawsuits over biometric data collection under the Illinois Biometric Information Privacy Act (BIPA). In 2023, the Illinois Supreme Court ruled that separate claims for damages accrue each time a business scans a biometric identifier in violation of the law, potentially resulting in millions of dollars in fines. Even when leases or other agreements provide for arbitration, plaintiffs are starting to exploit mass arbitration approaches that have the potential to trigger very high arbitration filing fee reimbursement obligations. With additional states introducing and passing similar biometric privacy laws, we expect to see similar litigation and increased regulatory enforcement in other states soon. In light of these risks, it is important that property owners and managers assess their biometric data collection activities.

What is The Current State Of Biometric Laws in The US?

In the United States, biometric data collection is regulated at the state level. Illinois became the first state to regulate biometric data when BIPA passed in 2008. BIPA requires companies that possess biometric identifiers to obtain informed consent and a written release prior to collection, refrain from disclosing biometric information except in limited circumstances, and adhere to strict data retention practices, among other requirements. The Illinois Supreme Court held in 2019 that a plaintiff does not need to show actual injury or damages to succeed on a BIPA claim.

Other states are increasingly regulating biometric data as well. Texas and Washington have biometric laws with similar requirements that have begun to see enforcement by state attorneys general in the last two years. The last year and a half has also seen the passage of almost a dozen state comprehensive privacy laws from Oregon to Texas, many of which require companies to obtain affirmative consent before collecting biometric data. Additionally, municipalities such as New York have begun passing tenant-specific biometric laws that impose consent requirements on smart access buildings and create private rights of action for violations.

How Should Property Owners and Managers Manage The Risks Associated With Biometric Data Collection?

Property owners and managers should carefully consider the potential privacy and security risks associated with biometric data before installing new technologies and collecting biometric data from residents or corporate tenants. Companies that use systems that collect biometrics should consult with an attorney to review their current practices and determine any necessary remediation measures to mitigate litigation and regulatory risks. In addition, real estate investors need to add questions about biometric data collection to their due diligence processes.

For assistance with these issues, please contact Goodwin’s Real Estate team or Data, Privacy & Cybersecurity team.