Biometrics technology is increasingly used by organizations, and that means companies will need to be more careful to preserve individuals’ privacy
Biometrics usually refers to either measurable human biological and behavioral characteristics that can be used to identify an individual or automated methods that can recognize individuals based on certain biological and behavioral characteristics.
Biometric technology has evolved significantly in recent years, and some of the most common uses include identification, health & fitness tracking, authentication, corporate security, and timekeeping.
Currently, no federal law directly addresses the collection, use, storage, and disclosure of biometric data; however, Section 5 of the Federal Trade Commission (FTC) Act gives the FTC broad authority to protect consumers from unfair and deceptive trade practices in or affecting commerce. Under that authority, the FTC may take enforcement action against commercial organizations that engage in unfair and deceptive practices involving biometric data. If an organization that collects and uses biometric data fails to keep its promises to consumers regarding its handling of that data, it risks an FTC enforcement action.
Biometric data collection, use, disclosure, and storage present challenging privacy and security concerns because individuals cannot change their biometric data. In response to the risks presented by this data, Illinois, Texas, and Washington have adopted the following laws focused specifically on biometric data handling:
- The Illinois Biometric Information Privacy Act (BIPA)
- The Texas Capture or Use of Biometric Identifier Act (CUBI)
- Washington State’s law regarding biometric identifiers (Washington Biometric Law).
Although only three states thus far have enacted comprehensive statutes addressing biometric data handling, many other states regulate some aspect of biometric data in other ways. Several states, including California, Colorado, Connecticut, Texas, Oregon, and Virginia have enacted general privacy laws that include biometric information in the definition of personal information. In addition, several US cities have adopted ordinances governing biometric data, including New York City and Portland, Oregon. Many other cities have enacted laws that regulate law enforcement’s use of facial recognition technology.
In addition, BIPA, CUBI, and the Washington Biometric Law all impose distinct obligations on persons or entities that collect biometric data compared to those that simply possess biometric data.
The laws’ scope of coverage
The scope of coverage under BIPA, CUBI, and the Washington Biometric Law are similar, but the laws differ in the following respects:
BIPA scope of coverage
BIPA applies to private entities that include individuals, partnerships, corporations, or limited liability companies, and associations or other groups, however organized. Specifically, BIPA broadly applies to those entities collecting or possessing biometric identifiers or biometric information, while CUBI and the Washington Biometric Law only apply to biometric identifiers collected or possessed for commercial purposes.
CUBI scope of coverage
CUBI applies to the collection and possession of biometric identifiers for a commercial purpose. However, CUBI does not define commercial purpose or specify the persons and entities the law covers. CUBI excludes from its scope voiceprint data retained by financial institutions or their affiliates, as defined under the Gramm-Leach-Bliley Act (GLBA).
Unlike BIPA and the Washington Biometric Law, CUBI does not specify the persons and entities subject to the law. CUBI also provides fewer exceptions from the law than BIPA and the Washington Biometric Law.
Washington Biometric Law scope of coverage
The Washington Biometric Law covers all individuals and legal entities except government agencies, activities subject to HIPAA, law enforcement activity, and financial institutions and affiliates subject to the GLBA.
The Washington Biometric Law specifically applies to biometric identifiers collected, maintained, and used for a commercial purpose.
Notice and consent
BIPA, CUBI, and the Washington Biometric Law all include notice and consent requirements before an organization may collect or obtain biometric identifiers or biometric information. Organizations should ensure they implement a system for providing and tracking notice and obtaining consent. This can be done electronically, for example, before collecting a fingerprint scan by providing an electronic notice and consent in which the individual clicks a box to consent. Organizations also should implement a system for storing notices and consents obtained under any applicable statute of limitations.
Sale, use, and disclosure restrictions
BIPA, CUBI, and the Washington Biometric Law all restrict the sale, use, and disclosure of biometric data, yet there are key differences among the laws.
For example, unlike CUBI and the Washington Biometric Law, BIPA prohibits the sale, lease, trade, or profiting from biometric identifiers or biometric information under any circumstance, including with the individual’s consent. Organizations may disclose, redisclose, or disseminate biometric identifiers or biometric information under BIPA for other purposes if they meet an exception.
Also, CUBI and the Washington Biometric Law allow organizations to sell, lease, or disclose biometric data if they meet an exception such as consent. The Washington Biometric Law allows for these disclosures with an individual’s general consent; however, CUBI only allows individuals to consent for certain defined purposes, including where disclosure is required by state or federal law.
Organizations subject to BIPA, CUBI, and the Washington Biometric Law must implement a system to ensure they do not disclose biometric data unless a statutory exception applies, and sell or otherwise profit from biometric data in the organization’s possession unless a statutory exception applies. The exceptions under each law differ so organizations must understand in which cases the laws permit or restrict disclosures.
Security & storage requirements
BIPA, CUBI, and the Washington Biometric Law all require persons and entities to protect biometric data using a reasonable standard of care. However, the laws do not define or provide guidance on what constitutes reasonable data security. Therefore, organizations should conduct due diligence to ensure that they comply with any data security standards applicable to their industry and other generally recognized data security standards to protect biometric data.
BIPA, CUBI, and the Washington Biometric Law all require the destruction of biometric data after a certain time, but no later than when the initial collection purpose ends. To that end, organizations should decide on a retention schedule and implement a system to ensure it destroys biometric data in the required timeframe. For example, if an organization requires customers to scan fingerprints for entry to an amusement park, it can arguably retain that data for the duration of the amusement park season. Or an employer that captures an employee’s biometric data for security purposes, should understand that the purpose typically expires on termination of employment.
To ensure they comply with retention obligations, organizations should retain an outside vendor or work closely with their information technology department.
Determining whether collector or possessor obligations apply
BIPA, CUBI, and the Washington Biometric Law also impose specific obligations on persons or entities in possession of biometric data compared to those that simply collect biometric data. Private entities may have both collector and possessor obligations; however, it should be understood that collector obligations exceed possessor obligations.
Organizations must analyze whether they collect or possess biometric data or both. In Illinois, case law can help organizations assess what constitutes possession of biometric identifiers or biometric information. However, there are no reported cases or guidance on the meaning of possession under CUBI or the Washington Biometric Law. Organizations may therefore decide that compliance with both collector and possessor obligations under these laws is the best way to protect against regulatory action.
If a third-party vendor offers biometric technology or services to customers that collect biometric data in Illinois, Texas, or Washington, it may be a possessor under the laws. These third parties and their customers should address any potential obligations through contractual clauses by examining several factors, including: i) whether the customer collects biometric data in Illinois, Texas, or Washington; ii) which party must comply with all obligations under applicable laws; iii) whether the contract should include indemnification clauses, such as requiring reimbursement for lawsuits, regulatory inquiries, and any other costs associated with biometric data law violations; and iv) whether the clients or third-party vendors have adequate insurance to cover biometric data claims and violations.
As the use of biometrics technology becomes increasingly commonplace among organizations, any companies involved will need to become acquainted with applicable state laws and take special care to preserve individuals’ privacy.
This article was written by Thomson Reuters Practical Law Data Privacy & Cybersecurity