Internet & Social Media Law Blog
The latest trend in generative AI is the rise of “AI Assistants” or “Chatbots.” These tools are increasingly trained on internal company data to interact directly with consumers and aim to improve customer service by generating responses on behalf of the organization. However, this brings new legal challenges, especially regarding data privacy. Because “biometric” data or information is often broadly defined, compliance with privacy regulations becomes critical when chatbots and AI agents use voiceprints, cameras (capturing or processing hand or facial geometry) or other sensors to provide a personalized service. Companies should implement safeguards to meet legal requirements, avoid penalties, and secure insurance coverage to mitigate financial risks related to compliance with data privacy laws and regulations.
The Growing Use of AI and Biometric Data in Retail
Biometric data has many use cases within the retail world and a retailer’s ability to enlist AI technology to predict consumer behavior, create personalized marketing campaigns, and train customer service chatbots to streamline processes seemingly creates various opportunities for innovation and commercial growth. The use and development of AI can often rely on biometric data to deliver personalized experiences and streamline operations. Common applications include:
- Facial or Fingerprint Data. Biometric data is often used for customer identification, enhancing security, and to facilitate payment methods.
- Voice Recognition. Voice data can be employed to enhance security, in virtual assistants, and customer service bots to provide tailored interactions and personalized marketing.
- Behavioral and Body Analytics. This data can be used to analyze customer movements, sentiments, and interactions within stores to optimize layout and product placements or to inform personalized and targeted marketing campaigns. Body scans can be used to create individual style and product recommendations to consumers.
Enacted in 2008, Illinois’s Biometric Privacy Act (BIPA) is one of the strictest biometric privacy laws in the United States and has led to numerous lawsuits and penalties. BIPA governs the collection, use, and handling of biometric data, including fingerprints, voiceprints, retina or iris scans, and facial scans. The law applies to private entities that do business in Illinois or collect, store, or use biometric data from Illinois residents. Best practices for biometric data privacy compliance include:
- Informed Consent and Transparency. Retailers must provide clear written notices to customers, before collecting any biometric data, explaining the purpose and duration of data collection and storage. Consent must be explicitly obtained before the collection to ensure customers understand how their data will be used.
- Retention Schedule. Prepare and implement a retention schedule and guidelines for destroying biometric data.
- Review and Audit Data Flows. Review and audit the onward flow of data to vendors and ensure that there are proper agreements with the vendors to process such data and to delete/destroy it as needed.
- Comprehensive Privacy Policies. Retailers should have detailed, easily accessible privacy policies outlining biometric data practices, including retention schedules and destruction protocols. Regular reviews ensure policies stay current with legal developments.
- Implement Data Security Measures and Prepare for Data Breaches. Organizations can adopt industry-standard encryption, access controls, and conduct regular security audits to protect data from breaches. In the event of a breach of biometric data, retailers should act swiftly to mitigate damage and meet notification requirements, including informing customers and authorities.
- Conduct Training and Regular Audits and Updates. Employee education on biometric privacy requirements is also important. Regular training sessions help staff understand legal obligations and company policies, serving as evidence of good faith in litigation. Retailers can regularly audit data practices and update policies to keep pace with legislative changes and evolving best practices.
Notably, when it comes to BIPA, many courts interpreting the statute have increasingly expanded the scope of liability, proving BIPA to be a rather unforgiving statute for private entities that process biometric data. Until August 2024, BIPA liability accrued per violation, leading to potentially massive penalties for repeated data transmissions. However, on August 2, 2024, Illinois amended BIPA to limit damages by treating the repeated collection of the same biometric data without consent as a single violation.
In addition to Illinois, several other states have enacted privacy laws specifically regulating the collection and use of biometric data, including Colorado, Texas and Washington. Even in states without biometric-specific legislation, biometric data is considered “sensitive data” and will trigger specific notice and consent obligations. As retailers continue to explore and deploy AI-assisted customer service tools and personalization services, additional obligations will apply to the extent these tools and services are solely automated without human review and result in consequential decisions, such as the provision or denial of a financial service.
Retailers should continue implementing policies to ensure compliance with biometric data privacy laws as they adopt new technologies to enhance customer experiences. Additionally, retailers can mitigate financial risks associated with violations by obtaining data privacy-specific insurance coverage.
Insurance Coverage and Recovery Considerations
Due to the potential for significant fines and legal expenses associated with biometric data privacy violations, retailers should seek cyber liability insurance with appropriate biometric data coverage. Retailers should consider the following when seeking and confirming coverage:
- Review and Comply with Insurance Policies. Retailers should thoroughly review existing policies—such as general liability, cyber liability, and errors and omissions (E&O) insurance—to assess coverage for biometric data breaches. Adherence to policy terms, implementing security measures, updating privacy policies, and promptly reporting incidents are essential to ensure coverage. Note that oftentimes the compliance gaps and breaches occur with vendors and services providers and insurance coverage should be reviewed to assess vendor use of emerging technologies like AI agents.
- Obtain Specialized Coverage. If current policies lack adequate coverage for biometric data incidents, retailers should obtain specialized cyber liability insurance that specifically covers BIPA and/or other biometric data privacy. Gap or tail insurance may also be necessary if business operations cease.
- Document Compliance Efforts. Thoroughly document all efforts to comply with privacy law, including customer consents, privacy policies, security measures, and employee training. This documentation will prove useful for claims and in defense of litigation. To the extent many of the new AI tools and services are not developed in-house but rather procured through third-party developers, identify potential risks posed by key vendors and suppliers.
- Engage Legal Counsel. Work with AI knowledgeable legal counsel experienced in data privacy and insurance laws to navigate compliance and insurance complexities. Legal experts can help interpret policies, negotiate terms, and manage claims.
AI offers retailers opportunities to enhance customer experiences and develop business opportunities. Maintaining communication with insurance providers, understanding data privacy-related requirements to ensure informed consent, privacy policies, and security measures are implemented are key to protecting biometric data and building customer trust.
RELATED ARTICLES
Insurers Seek to Avoid Coverage for BIPA Claims by Using Old Exclusions for New Purposes
The Duty to Defend a Privacy Claim Arises from Even Limited Publication of Biometric Identifiers