News

Automotive biometrics drive innovation and litigation risk

Image
Image

Over the past decade, the use of biometrics – measurements of people’s unique physical, physiological, biological, or behavioral characteristics – in smartphones, wearable technology, and employee timekeeping devices grew commonplace. As part of a rapidly growing trend, automobile original equipment manufacturers (“OEMs”) are incorporating biometric trackers and analytics into a broad array of vehicle features to improve security and safety. For example, some vehicles are equipped with fingerprint scanners and facial recognition tools to secure vehicles, and pulse- and eye-tracking technology to monitor drivers’ eyelid fatigue and medical emergencies that would render the driver unable to control the vehicle. As biometric data continues to play an increasingly prominent role in the automotive industry, a corresponding heightened risk of litigation follows in two key areas: (1) under biometric privacy laws, and (2) in cybersecurity class and mass action litigation in the U.S. and EU.

I. BIPA & GDPR Suits Race Ahead

In the U.S., plaintiffs have filed thousands of biometric data privacy suits over the last several years, often primarily against technology companies for their use of fingerprint timekeeping software or facial recognition technology. However, as the use of biometric data becomes more ubiquitous across industries, the plaintiffs’ bar has expanded the range of defendants for their suits to include automobile OEMs. Nearly all of these lawsuits allege claims and damages under the Illinois Biometric Information Privacy Act (“BIPA”), the predominate statute for biometric class action litigation in the U.S., which provides Illinois residents with a private right of action if their biometric information has been collected or shared without proper disclosure of the company’s policy for retention and deletion or without the consumer’s informed written consent. 

While early BIPA suits focused on biometric information used to identify individuals (e.g., fingerprints and facial recognition software), more recent suits center on biometric information not specifically designed to identify the data subject (e.g., vocal comprehension technology and facial geometry measurements). For instance, recent BIPA suits against cosmetic companies allege BIPA violations through their offering of online makeup filters that utilize facial geometry to simulate the appearance of the makeup on a customer’s face but do not attempt to identify the customer. These suits point to potential exposure for automobile OEMs that are introducing safety features in their vehicles that rely on heart rate monitoring, eyesight tracking, and facial geometry measurements, even without an intent to use those measurements for identification purposes. 

Indeed, over the past two years, there has been an uptick in BIPA suits filed against automobile OEMs including, for example, allegations that certain automakers collect drivers’ facial geometry without proper consent in connection with advanced autopilot features. Similar litigation also has been filed against transportation companies that use facial recognition cameras powered by artificial intelligence (“AI”) to monitor and analyze driver activity in the vehicles in their fleets and to protect against losses arising from vehicle collisions. These cases exemplify the expansion of BIPA litigation to target the automotive industry and encompass broader forms and uses of biometric data. 

As the risk of automotive BIPA litigation increases, automobile OEMs should think proactively about how to mitigate this risk through appropriate retention and deletion practices, and by providing effective notice and receiving effective consent. Receiving effective consent might prove particularly challenging for non-owner drivers and passengers, especially minors.

In Europe, the counterpart to BIPA suits are claims under the General Data Protection Regulation (“GDPR”) for data privacy infringements, further fostered by the Directive on “Representative actions for the protection of the collective interests of consumers,” which was adopted by the European Commission in late 2020 and had to be transposed by the EU Member States until December 2022. Biometric data is considered a form of personal data protected by the GDPR, and due to the perceived sensitivities of biometric data, it is subject to a general ban on processing unless certain exceptions apply. With biometric data more frequently being used across industries, EU plaintiffs will likely focus on the heightened requirements under the GDPR regarding explicit consent for processing biometric data in asserting claims against – inter alia – automobile OEMs.

 

II. No Stop in Sight for Cybersecurity Class Actions in the U.S. and EU

In addition to BIPA and GDPR suits, the use of biometric data in vehicles introduces cyber risk which, in turn, may lead to an increase in cybersecurity class and mass actions and regulatory investigations both in the U.S. and the EU. Biometric data has no intrinsic value, but unlike passwords or credit card information, it generally cannot be changed or replaced once compromised. 

Cybersecurity litigation in the U.S. has shown that when plaintiffs can argue that the impacted data elements are sensitive, they are more likely to survive a motion to dismiss for failure to allege injury and damages arising out of a data breach. Similarly, case law out of EU courts demonstrates that in countries like Germany where courts were previously reluctant to award high immaterial damages, such damages are now being awarded when sensitive data is involved that carries some risk of future misuse. Plaintiffs will argue that breaches of biometric information should fall into the latter category, and that data security incidents impacting even a single person’s biometric data stored within an individual automotive vehicle could have significant consequences depending on how that data is used. If an attacker is able to exploit a vulnerability that allows for access to biometric data from one vehicle, it could potentially access and exfiltrate biometric data from numerous other vehicles. Additionally, if automobile OEMs upload and store biometric data collected across vehicles into one centralized database or the cloud, a breach of large volumes of biometric data sets would lead to even greater litigation risk. 

In short, the use of biometrics in vehicles is an area of litigation risk as more automobile OEMs use or collect a broad range of biometric information. Automobile OEMs should evaluate their biometric data handling practices and confirm that reasonable security measures are being implemented to protect all biometric data.

 

 

Authored by Allison Holt Ryan, Vassi Iliadis, Martin Strauch, Alicia Paller, and Jay Ettinger.

Search

Register now to receive personalized content and more!