Additional Obligations Regarding the Use of Biometric Data

Date Last Revised: August 17, 2022

This Biometric Data Addendum supplements Evident’s Terms and Conditions related to the Relying Party’s use of the Subscription Services that include the potential collection, use, storage or transmittal of an individual’s or end-user’s biometric data, including biometric identifiers or biometric information. The purpose of this Biometric Data Addendum is to clarify and emphasize that the Relying Party may have an individual and separate obligation to comply with data privacy laws in their particular jurisdiction that may be implicated by the Relying Party’s use of the Subscription Services or the Relying Party’s potential collection, use, storage or transmittal of an individual’s biometric identifiers or biometric information, including where Evident performs these activities on the Relying Party’s behalf.

When Relying Party uses biometric data (e.g., a scan of facial geometry, a scan of a photograph involving facial geometry, imagery of the face, iris, retina, or fingerprint, etc.) such biometric data may be protected by various biometric privacy laws. One example is Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq. BIPA requires private entities doing business in Illinois to comply with certain requirements pertaining to the collection, use, storage, and transmittal of biometric identifiers or biometric information, including that a private entity must obtain informed written consent from an individual before collecting, using, storing, or transmitting and individual’s biometric identifiers or biometric information. BIPA also requires private entities to establish, maintain and adhere to a publicly available data retention schedule for any biometric identifiers or biometric information that the company collects, captures, possess, or stores.

Under BIPA, individuals have a right of recourse against private entities that violate the requirements of the statute, including that individuals may recover $1,000 in liquidated damages for each negligent violation of the statute or $5,000 in liquidated damages for reckless or intentional violations of the statute.

Similar laws have been enacted and others are pending at all levels of government in states and municipalities across the United States. For example, California’s updated privacy law (effective 1/1/2023) requires businesses that process biometric data for identity purposes to permit consumers to opt-out of such processing, and new privacy laws in Colorado (effective 7/1/23), Connecticut (effective 7/1/23), Utah (effective 1/1/24) and Virginia (effective 1/1/23), require businesses to obtain a consumer’s prior, opt-in consent before collecting and processing “sensitive data,” which includes biometric data. For purposes herein, these types of laws will be referred to as “Biometric Information Privacy Laws,” and biometric identifiers and biometric information will be referred to as “Biometric Data.”

1. RELYING PARTY OBLIGATIONS.

Relying Party acknowledges that it is responsible for determining whether it is subject to any Biometric Information Privacy Laws, including with respect to Relying Party’s use of Evident’s services. Relying Party further acknowledges that it is responsible for complying with any Biometric Information Privacy Laws to which it is subject through Relying Party’s use of the Subscription Services or Relying Party’s collection, use, possession, storage or transmittal of any individual’s biometric data in connection with using the Subscription Services. Relying Party represents and warrants that it will ensure that it is, and shall remain, compliant with all applicable Biometric Information Privacy Laws. Relying Party further acknowledges that nothing in this Biometric Data Addendum, the Terms and Conditions, or in the functionality of the Subscription Services shall be construed as legal advice from, by, or on behalf of Evident or its representatives. Relying Party acknowledges that it may and should consult legal counsel of its choosing to determine whether and to the extent Relying Party is subject to Biometric Information Privacy Laws and any obligations Relying Party may have to comply with the requirements of those laws.

2. RELYING PARTY CERTIFICATION, INDEMNIFICATION.

Relying Party represents and warrants that it will comply with all applicable Biometric Information Privacy Laws prior to using the Subscription Services, as applicable, and that it will comply with all requirements of the Biometric Privacy Laws prior to collecting, capturing, storing, possessing, using or transmitting any individual’s biometric data. This specifically includes Relying Party’s representation and warranty that (i) it will obtain all necessary consents from the affected individuals, as applicable under the Biometric Information Privacy Laws, before collecting, capturing, storing, possessing, using or transmitting any individual’s Biometric Data, and (ii) where Relying Party uses any methods and terminology provided by Evident to provide notices and/or obtain consents required by Biometric Information Privacy Laws, it has consulted with its own legal counsel regarding such Evident functionality and is solely responsible for Relying Party’s use thereof for its compliance with Biometric Privacy Laws. Further, Relying Party shall defend, indemnify and hold harmless Evident and its officers, directors, employees, affiliates, agents, representatives, contractors and each of their successors from and against any third-party claims, demands, suits, judgments, losses, expenses, costs, and liabilities, including but not limited to reasonable attorney’s fees and litigation costs and expenses (collectively, “Claims”), to the extent any Claims arise out of or relate to Relying Party’s noncompliance, or Evident’s noncompliance to the extent Evident’s noncompliance arises out of an act or omission by Relying Party, with any of the Biometric Information Privacy Laws. Evident reserves the right to select counsel of its choosing to defend itself, in accord with the indemnification set forth above, in any suit or proceeding related to such Claims.

3. DISCLAIMER.

RELYING PARTY ACKNOWLEDGES AND AGREES THAT THE EVIDENT SUBSCRIPTION SERVICES ARE TECHNOLOGY TOOLS TO BE USED BY RELYING PARTY FOR VERIFICATION SERVICES OR RELATED SERVICES AND ARE NOT MEANT TO ENSURE COMPLIANCE OR PROVIDE LEGAL ADVICE REGARDING RELYING PARTY’S COMPLIANCE WITH ANY APPLICABLE LAWS, INCLUDING BIOMETRIC INFORMATION PRIVACY LAWS. AS BETWEEN THE PARTIES, RELYING PARTY IS SOLELY RESPONSIBLE FOR SUCH COMPLIANCE.

4. PENALTIES.

Relying Party understands that Biometric Information Privacy Laws impose potential financial penalties against any private entity that violates the provisions of the statute.