The Basics of Biometric Privacy
The term "biometric privacy" refers to the ability to manage, control, and make decision regarding personal data that includes unique identifiers such as fingerprints, retina or iris patterns, or other biometric data. It is an important part of protecting the privacy of individuals, as biometric data is often unique to an individual and can be used in various ways, such as for identification, authentication, and authorizing access to resources. Biometric data cannot be changed and, therefore , comprises permanent personally identifiable information. The prevalence of biometric data and usage has continued to increase in conjunction with the rapid development of technology. Biometric data can be found in everything from smartphones, tablets, and laptops to public transportation passes, payment cards, and government-issued identification. Just as some individuals have concerns about how their personal data will be used in the tech space, there are security concerns associated with the use of biometric data and the information contained within that data. It is important to understand the legal requirements for protecting the privacy of biometric data and the growing interest in legislation pertaining to that privacy.
What Constitutes Biometric Data
The term "biometric data" broadly refers to a variety of physical data that can be used to identify an individual. Biometric data is any data that relates to the physical characteristics of a person, and can include: fingerprints, facial recognition data, retinal scans, and other physiological data. Biometric data can also include information relating to the behavioral and psychological characteristics of an individual, such as speech patterns, typing behavior, eye movement, and more.
Companies collect biometric data for a multitude of purposes. Biometric data is often collected for security purposes, such as to restrict access to a particular location or to authorize a specific transaction. One common use of biometric data is to replace access cards in the workplace. Adding the requirement to pass a biometric authentication step before accessing a secure location increases the security of the location. For example, many smart phone devices store biometric data, such as a fingerprint authentication function, to prevent unauthorized users from accessing sensitive data stored on the phone.
Like traditional information technology, biometric data can be subject to certain risks. From a privacy perspective, concerns related to risks associated with the collection of biometric data focus on the potential for the misuse of the data. In addition to traditional risks associated with technology, the irreversible nature of biometric data and the potential for permanent loss of control over the privacy of biometric information poses additional risks. When a physical identifier is compromised, there is little that can be done to address the breach. Although password protection may not be perfect, it is far easier to change the characters of a password than it is to update a fingerprint. And we have generally come to expect that electronic systems—including corporate data systems—will require regularly changing passwords. The irreversible and unique nature of biometric data creates risks that are not present with many other forms of personal information.
An Overview of Federal Laws on Biometric Privacy
The handling of biometric information is not just inconsistent state by state in the United States. There is no comprehensive federal law either. As a result, employers are learning the hard way that the risks involved in collecting biometric data differ widely from jurisdiction to jurisdiction, and even with respect to what they call the same thing.
There is presently no comprehensive biometric privacy law at the federal level. A collection of federal regulatory schemes does regulate specific types of biometric data, but there is no single statute governing how all employers may collect, use or share biometric records, with certain limited exceptions. The most familiar of these exceptions is the collection of biometric data by the U.S. Department of Homeland Security: in particular, the US-VISIT program (for non-immigrant visitors) and the U.S.-VISAL for immigrant visitors.
There is also some federal regulation of certain employers. Employers using the Electronic Employment Verification System, the federal virtual registry for those authorized to work in the U.S., are required to collect fingerprints from all employees and follow the federal Privacy Act of 1974 with respect to what they do with it. Additionally, the Federal Bureau of Investigation requires federal contractors to record fingerprints through the Fingerprint Chart. Those charts are subject to the Privacy Act and must be safeguarded as well.
Finally, the Genetic Information and Nondiscrimination Act (GINA) protects genetic data and prevents its use by employers in certain employment decisions. This could potentially extend to some biometric data, such as DNA samples, but is limited in scope.
Illinois Biometric Privacy Law
Arguably the most significant of the area’s biometric privacy state laws is the Illinois Biometric Information Privacy Act (BIPA). This law, passed in 2008, requires employers to provide written notice to its employees "(1) that a biometric identifier or biometric information is being collected" and "(2) cross-reference to the employee’s rights under this Act." 815 ILCS 630/10(a). The Act defines "biometric identifiers" as "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry" and "biometric information" as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual."
The statute goes on to require that any business collecting such data "develop a written policy, made available to the public," that explains how long biometric information will be stored and under what circumstances it will be destroyed, and that it will "not sell, lease, trade, or otherwise profit from the biometric information of an individual." It also provides that no biometric information may be disclosed to a third party without notice, and that a business will obtain written consent if biometric information will be disclosed for a commercial purpose.
The BIPA makes the unusual for a privacy statute right of a private citizen to sue for violations of the statute, and it provides for damages: "Each violation of [the Act] shall be actionable by a party aggrieved by such a violation in an action filed against an entity that violates this Act. . . . [A]ny person aggrieved by a violation of this Act shall be entitled to recover for each violation (1) statutory damages of $1,000 or actual damages, whichever is greater; and (2) reasonable attorneys’ fees and costs, including expert witness fees and other litigation costs reasonably incurred." 815 ILCS 630/20.
California’s Biometric Privacy Statute
The CCPA is the first comprehensive set of privacy laws that has been enacted in the United States. It seeks to ensure that California residents are both informed when companies collect personal data and given reasonable control over the use of their personal data. The CCPA does not explicitly cite biometrics, but it does cover biometric data in general. The disclosure requirements apply to businesses that collect biometric data "for monetary or other valuable consideration" but do not cover businesses acting as service providers "on behalf of a business." Further, biological data must be "processed by a business" to be protected, as opposed to its exact necessity for business activities and associations with consumers.
The CCPA requires that a business not sell a consumer’s biometric data or engage in joint or cross-context behavioral advertising. Any third-party marketer must provide a way for a consumer to opt out. Relevant disclosures to use biometric data include: The CCPA provides a private right of action for violations. Notably, a consumer can recover damages from a business that fails to adopt proper data security measures for biometrics. Where such measures are adopted but still fail to protect a consumer’s biometric data, that consumer can receive $100-$750 in statutory damages per violation or actual damages, whichever is greater. However, only businesses that sell biometric data are subject to enforcement actions by the California Attorney General, meaning that businesses only have to be concerned with CCPA violations if they sell consumer data.
Under the CCPA, the right to sue can be triggered even if the consumer suffers no technical injury. Because a consumer can recover substantial amounts of statutory damages, as well as the ability to sue for data breach, this can have an outsized impact on potential liability for various types of biometric data collection. The CCPA does not require a plaintiff to prove that an entity’s failure to implement reasonable biometrics data protections was negligent, but merely that the entity failed to implement them. This lack of scientific proof makes this potentially much less defensible than negligence or gross negligence claims.
But will all this effort pay off? For those that fall within the reach of the CCPA, there is a "cure" period that allows violators to mitigate the possible penalty. Notwithstanding the friendlier amendment in the California legislature to the Illinois BIPA, and notwithstanding the lack of legislative or case law history of the application of CCPA, the CCPA is historic in many ways.
Texas’ Biometric Privacy Statute
The history of US biometric laws is relatively short, with some of the most notable acts – like Illinois’ BIPA – having been put into effect only as recently as 2010. As the field of biometric data has developed, so too have the states which have chosen to legislate its use. Texas’ active law dates back to 2009 with the Capture or Use of Biometric Identifier Act (CUBI). The most direct form of biometric data, "biometric identifiers" include information pertaining to "a person’s retina or iris, fingerprint, voiceprint, or hand or face geometry." The law, however, also encompasses "biometric information," which speaks to any data that can be fully or partially used to identify an individual.
The provisions of CUBI are somewhat similar to those of BIPA: companies looking to capture or use a customer’s biometric data must disclose their purpose , maintain a retention schedule and destroy the data in a timely manner – within one year of the purpose’s end. Texas, however, goes a step further. Under CUBI, businesses collecting biometric data must also "obtain informed consent," which in this case necessitates a signed release from the individual or a "parent or guardian of a minor who possesses legal rights over the child," and create a publicly-available policy.
Texas’ biometric law also differs from that of Illinois in its private right of action. Plaintiffs may not file suit against violators within the state. Instead, under the Texas Attorney General’s Office, the AG "may bring an action against any person…violating [CUBI] for the civil penalty, injunctive relief, and declaratory relief," or "a civil penalty of $25,000 for each violation."
Other States with Unique Biometric Laws
A number of other states have introduced or passed biometric privacy bills or have pending legislation that are more limited than BIPA but have implications for employers. Other states with biometric laws or pending legislation include: California – The California Consumer Privacy Act ("CCPA") (SB 1121) was signed into law on June 28, 2018 and, effective January 1, 2020, among other things, will require covered businesses to disclose to employees data about the business’s collection of personal information from, for example, biometric data.
California – SB 1189 was passed in California as a limited amendment to the Civil Code sections incorporated into BIPA and imposes special requirements on businesses that license biometric information of minors.
Arkansas – SB 254 (2017) prohibits certain private entities from requiring a biometric scan for entrance into a building with certain exceptions, does not allow employers to require it and requires covered entities to destroy the collected data within 30 days of termination of the contract. No civil cause of action is authorized under the act. The law took effect January 1, 2018.
Utah – SB 245 (2018) limits collection and use of biometric data by agencies, authorities and political subdivisions of the state of Utah if it is collected by audio or video recording, however if it is "minimally intrusive" and used for law enforcement, it does not apply. No private cause of action exists. The law took effect May 8, 2018.
Virginia – SB 656 (2017) prohibits certain private entities from scanning a person’s biometric identifiers, unless given the opportunity to opt-out, and prohibits further usage of the biometric data without consent. The law offers a private cause of action for individuals or the attorney general. The law took effect July 1, 2017.
Idaho – SB 1154 (2018) prohibits certain covered entities from scanning a person’s biometric identifier, prohibits use of deceptive trade practices involving biometric identifiers and data and prohibits further usage of previously collected biometric data without consent. The law took effect March 28, 2018.
Washington – SB 5759 (2018) seems to go further than CUBI in that it requires opt-in consent for collection of biometric identifiers (as opposed to just personal information) but does not limit the use of the identifiers after disclosure. The law took effect July 1, 2018.
Critiques of State Laws on Biometrics
Despite their growing implementation, state biometric laws are not without criticism. Critics find fault with the vagueness of the term "biometric identifier," the lack of uniformity in state statutes, and the challenges enforcing the statutes in light of modern technology. They also criticize numerous aspects regarding compliance with the statutes, particularly given the highly-unpredictable and increasingly mobile nature of business operations. To begin, the fingerprinting requirement set forth under Illinois’ BIPA is arguably vague and poorly defined. The term "biometric information" encompasses more than just fingerprinting; it also includes retina or iris scans, voiceprints, or scan of hand or face geometry. Understanding what does or does not constitute "biometric" information is not intuitive, and virtually every state law uses a slightly different term to describe protected biometrics. A biometric identifier is defined as a "retina scan, fingerprint, voiceprint, or other scan of a person’s hand or face geometry." New York law adopts similar definitions, while California excludes retina scans, voiceprints, and hand or face geometry scans. The interpretive darkness does not end there: while some state laws (e.g., California, Idaho, Louisiana, Minnesota, and Texas) apply to both private and public entities, others (e.g., Connecticut, Florida, Illinois, Montana, New Hampshire, South Carolina, and Washington) may only cover "persons" but not "governmental" entities. Adding to the regulatory confusion, a government entity may be able to sidestep state biometric privacy laws through a so-called "data-breach" statute, which apply to "personal information" rather than "biometric identifiers." Such a hodgepodge of laws presents a significant challenge to businesses that must now comply with divergent requirements in as many as 14 states with some sort of biometric-related law. In addition to the issue of enforcement, some critics cite to the fact that only one case has been decided on a state supreme court level. Moreover, there have been an influx of class action lawsuits in the absence of any comprehensive verdicts from higher courts, which may suggest attempts at forum-shopping in light of the above inconsistency. Class actions in Massachusetts, for example, present key issues for employers: (1) whether its biometric data-retention policy constitutes "injury in fact" for purposes of standing, and (2) whether the policy falls under the insurance "exclusion clause" of the employer’s policy, which covers injuries that infringe upon individuals’ rights of privacy but exclude injuries related to its liability in privacy class actions. Again, uncertainty abounds when it comes determining when a claim should be treated as privacy-based versus tortious conduct-based, especially where the class action concerns liability under multiple state laws. Such fragmentation may ultimately force businesses to rely on pay-out resolutions, as opposed to anything resembling uniformity in enforcement.
The Future of Biometric Privacy Legislation
It’s clear from the patchwork of biometric privacy laws already on the books across the United States that social and political pressures have thus far been sufficient to press for legislation, particularly at the state level. By their nature, biometric identifiers require new approaches to, and evolutions of, security systems to handle and store these identifiers safely under the law. In addition to approaching the problem from a technical angle, legislatures must necessarily update legal frameworks as well to accommodate this new frontier of data. As such, further legislative efforts aimed at biometric privacy seem inevitable, particularly as biometric technology becomes even more prevalent in the consumer sphere, through applications like Apple’s/iPhone’s Face ID and Microsoft’s Windows Hello.
One concern, however, is that unless states evolve their laws to better recognize the inherently fluid and context-dependent nature of biometric identifiers, businesses subject to inconsistent regimes across state lines (handling, for example, customers’ fingerprints) could be burdened with contradictory and duplicative requirements.
As things stand , there is no federal law addressing biometric privacy. However, given concerns with the vagueness of state laws, constant expansion of biometrics definitions, and recent pushes for a national digital privacy standard, it seems likely that the future of biometric laws in the US will revolve around efforts to create a uniform legal framework for handling biometric data; perhaps at the federal level, or perhaps in the form of an overarching federal standard that states can adapt as their legislative priorities dictate. One possible way to accomplish this is to incorporate biometrics into existing federal data privacy frameworks such as HIPAA and the Gramm-Leach-Bliley Act, but even without an expansion of existing laws, the Uniform Law Commission may consider whether a uniform act for biometric data can be agreed upon among states.
There seems little question that biometric data is only going to become more prevalent (and perhaps only more controversial) in the years to come. Businesses would do well to remain vigilant as opposed to waiting until they receive a demand letter to think about the legislative landscape.