For online gaming and sports betting, facial recognition can help make sure that the person accessing the website or app is in fact the person whose eligibility was approved for participation.

With the rise of state legislation regarding collection of consumer biometric data, online gaming and sports betting operators need to be diligent about how they collect information and verify users' identities.

Five states (California, Colorado, Virginia, Connecticut and Utah) have passed comprehensive privacy legislation that includes restrictions on use of biometric data, and three states (Illinois, Texas and Washington) currently have legislation specifically regarding private entities' collection and processing of biometric data. Additional states continue to propose similar legislation.

One of the most prominent uses of biometric data by private entities is identity verification. The need to verify individuals' identities becomes heightened in regulated spaces such as online gaming and sports betting. Permitting an individual's participation in online gaming and sports betting inherently requires a thorough look at that individual and whether they meet eligibility criteria. Among other things, this means confirming that they are of legal age to participate and confirming that they have passed anti-money laundering and know-your-customer requirements upon onboarding. 

Companies often seek to reduce identity security risks by implementing multifactor authentication (MFA), requiring that an individual authenticate their identity by providing at least two distinct methods of verification.

In the past year, New Jersey and Pennsylvania enacted legal requirements for operators regarding the use of MFA in the online gaming setting. In New Jersey, this specifically requires using any two-part combination of (1) information known to the person (such as a password), (2) an item such as an authentication token and (3) biometric data (such as facial recognition).

Using biometric information can be a more efficient way of verifying someone's identity in situations where using traditional methods of MFA, such as SMS verification, is impracticable or likely to create friction for consumers. Additionally, biometric authentication can be a more certain way to verify someone's identity by using biometric identifiers unique to only that individual. Common forms of collecting biometric data include facial recognition, fingerprint mapping and retina scanning.

For online gaming and sports betting, facial recognition can help make sure that the person accessing the website or app is in fact the person whose eligibility was approved for participation. This is frequently done using the front-facing camera on a mobile device.

With the rise of laws aimed at protecting consumers' biometric data, companies will need to carefully consider what information they collect from consumers, how they collect and process that information, how proper consent is obtained and how to ensure proper disclosures are made to the consumer.

Failure to maintain a compliant framework for handling consumer data can jeopardize a business and can be an expensive error.

Violations of data protection laws in California, Virginia, Colorado, Utah, Texas and Washington can result in enforcement actions by the state’s attorney general's office and fines for violations. Under California law, consumers have a right to bring class action claims if there is a breach involving biometric data with statutory damages available up to $700 per person. The Illinois Biometric Information Privacy Act (BIPA) gives individuals the private right to bring class action claims for violations with available statutory damages of $1,000 for a negligent violation and $5,000 for an intentional or reckless violation.

In October 2022, the first BIPA case that went to trial resulted in a $228 million verdict. The verdict calculated statutory damages on a per user basis. However, in the recent February 17, 2023, opinion, the Illinois Supreme Court held that “a claim accrues under the [Illinois Biometric Information Privacy] Act with every scan or transmission of biometric identifiers or biometric information without prior informed consent.” Cothron v. White Castle Sys., Inc., 2023 IL 128004. This holding means that a noncompliant company could be liable for monetary damages of at least $1,000 not just per user, but for each biometric scan. This ruling will exponentially increase possible damages for BIPA violations.

For More Information

If you have any questions about this Alert, please contact Adam Berger, Michelle Hon Donovan, Ariel Seidner, any of the attorneys in the Privacy and Data Protection Group, any of the attorneys in our Gaming Industry Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.