The Impact and Cost of Biometric Data Privacy Laws on Online Gaming and Sports Betting

Expert insight provided by Adam BergerMichelle Hon Donovan and Ariel Seidner from Duane Morris

With the rise of state legislation regarding collection of consumer biometric data, online gaming and sports betting operators need to be diligent about how they collect information and verify users' identities.

Five states (California, Colorado, Virginia, Connecticut and Utah) have passed comprehensive privacy legislation that includes restrictions on use of biometric data, and three states (Illinois, Texas and Washington) currently have legislation specifically regarding private entities' collection and processing of biometric data. Additional states continue to propose similar legislation.

One of the most prominent uses of biometric data by private entities is identity verification. The need to verify individuals' identities becomes heightened in regulated spaces such as online gaming and sports betting. Permitting an individual's participation in online gaming and sports betting inherently requires a thorough look at that individual and whether they meet eligibility criteria. Among other things, this means confirming that they are of legal age to participate and confirming that they have passed anti-money laundering and know-your-customer requirements upon onboarding.

Companies often seek to reduce identity security risks by implementing multifactor authentication (MFA), requiring that an individual authenticate their identity by providing at least two distinct methods of verification.

In the past year, New Jersey and Pennsylvania enacted legal requirements for operators regarding the use of MFA in the online gaming setting. In New Jersey, this specifically requires using any two-part combination of (1) information known to the person (such as a password), (2) an item such as an authentication token and (3) biometric data (such as facial recognition).

Using biometric information can be a more efficient way of verifying someone's identity in situations where using traditional methods of MFA, such as SMS verification, is impracticable or likely to create friction for consumers. Additionally, biometric authentication can be a more certain way to verify someone's identity by using biometric identifiers unique to only that individual. Common forms of collecting biometric data include facial recognition, fingerprint mapping and retina scanning.

For online gaming and sports betting, facial recognition can help make sure that the person accessing the website or app is in fact the person whose eligibility was approved for participation. This is frequently done using the front-facing camera on a mobile device.

With the rise of laws aimed at protecting consumers' biometric data, companies will need to carefully consider what information they collect from consumers, how they collect and process that information, how proper consent is obtained and how to ensure proper disclosures are made to the consumer.

Failure to maintain a compliant framework for handling consumer data can jeopardize a business and can be an expensive error.

Violations of data protection laws in California, Virginia, Colorado, Utah, Texas and Washington can result in enforcement actions by the state’s attorney general's office and fines for violations. Under California law, consumers have a right to bring class action claims if there is a breach involving biometric data with statutory damages available up to $700 per person. The Illinois Biometric Information Privacy Act (BIPA) gives individuals the private right to bring class action claims for violations with available statutory damages of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.

In October 2022, the first BIPA case that went to trial resulted in a $228 million verdict. The verdict calculated statutory damages on a per user basis. However, in the recent February 17, 2023, opinion, the Illinois Supreme Court held that “a claim accrues under the [Illinois Biometric Information Privacy] Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle Sys., Inc., 2023 IL 128004. This holding means that a noncompliant company could be liable for monetary damages of at least $1,000 not just per user, but for each biometric scan. This ruling will exponentially increase possible damages for BIPA violations.