Privacy, Technology and Perspective
Five Steps for Keeping Biometric Laws Under Your Thumb. The use of biometrics is growing alongside its related privacy risks. Yet, when considering biometrics, many companies still fail to recognize the risks or otherwise appropriately address them. We’re here to help with a little five-step primer on how to approach biometric laws.
First, realize that biometric information is considered sensitive and private. While there is not yet consensus about what information qualifies as private “biometric information,” generally the term covers data that is biologically unique to an individual, such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.
Second, recognize that the legal landscape for biometric privacy is evolving. The California Consumer Privacy Act (“CCPA”) specifically cites biometric information as a type of personal information (at Section 1798.140 (o)(1)(E)), but several states have biometric privacy-specific laws, which you can review at the following link:
In addition, the U.S. Congress is currently entertaining federal legislation concerning facial recognition technology. You can read more about that proposed legislation at the following link:
With biometrics in the crosshairs of the federal and other state legislatures, there is a compelling case for placing primacy on privacy in this context.
Third, identify and address the primary risk, which at this time is the risk of a class action arising under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14. To review the text of BIPA, click on the following link:
A summary of the statute and its requirements follows:
BIPA provides standards of conduct governing private entities’ collection and possession of biometric identifiers and biometric information (together, “biometric data”). 740 ILCS 14/15. BIPA requires private entities that “possess” biometric data to develop a written policy, me available to the public, establishing a retention schedule and guidelines for destruction of biometric data. Id. § 14/15(a). It also requires private entities that “collect, capture, purchase, receive through trade, or otherwise obtain” a person’s biometric data to: (1) inform the individual that the data is being collected or stored; (2) inform the individual of the purpose and length of the collection and storage; and (3) obtain written consent to collect the data. Id. § 14/15(b). BIPA additionally prohibits private entities “in possession of” biometric data from selling the data and forbids such entities from “disclos[ing]” the data without consent or other authorization. Id. § 14/15(c)-(d). Finally, BIPA requires “using the reasonable standard of care within the private entity’s industry” to store and protect biometric data. 740 ILCS 14/15(e).
You can read more about BIPA by reading this previous post:
Fourth, consider the technologies embedded in your business, and identify those that may implicate biometric data (and BIPA). For example:
· Hand or fingerprint scanners, which may be associated with business and security screening, biometric time-tracking technologies and smart vending machines;
· Facial recognition technologies; and
· Voice recordings, including those associated with smart speakers, tablets and digital assistants;
Finally, use caution before contracting for any technology that includes a biometric component. The best practice would be to conduct a privacy impact assessment (“PIA”). A PIA would allow your company to fully evaluate the privacy risks associated with the procurement and use of the technology. Anecdotally, we have often found that the business case for such technologies weakens in the face of a PIA, and that businesses have opted for other technology solutions as a result.
Realize also that standard vendor contracts often offer only abstract references to data security, and do not meaningfully disclose how data, including biometric data, is disseminated or shared with outside hosts or other parties. Understanding biometrics data flows can be critical to both securing that data and complying with law that requires vendor control and informed consent.
Also recognize that vendor contracts usually place affirmative obligations on the counterparty (in other words, your company) to comply applicable law. We have seen some contracts that specifically reference BIPA’s requirements and require compliance with them.
So when contracting, prioritize privacy, do appropriate due diligence and negotiate. Additionally, realize that even then, you may have work to do internally before you can use biometric technologies in a manner that is consistent with BIPA—starting with obtaining informed consents and implementing appropriate policies for retention and destruction of biometric data.
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.