The Origins of BIPA
In 2008 a biometric payments company, Pay By Touch, spectacularly failed and ceased operations. This created widespread concern in Illinois, home of the defunct company, because it left the status of biometric data belonging to almost three million customers in question. The principal concern was whether this data could be sold through the bankruptcy proceedings.
In response, Illinois passed the Biometric Information Privacy Act (BIPA). Simply, BIPA requires entities that use the biometric technology to inform users in writing about how the data will be stored, how it will be used, and for how long. Further, the statute emphasizes that no biometric data can be disclosed, sold, leased, traded or otherwise used for monetary gain.
In truth, the law was not passed just to impose penalties for the misuse of biometric data, but as a good faith effort to remove concerns about the use of biometrics. The preamble to BIPA tellingly states that “[a]n overwhelming majority of members of the public [were] weary of the use of biometrics” and “deterred from partaking in biometric identifier-facilitated transactions.”
While the intent of BIPA was to regulate the unfettered collection and use of biometrics, as well as to reassure the public that it’s safe to use biometrics, one has to ask if the legislation has helped the general welfare or hurt it.
The Law of Unintended Consequences Casts Its Shadow
Biometrics provide numerous benefits to businesses and the public at large. Fraud prevention, identity assurance, reduced transaction costs, personalization services, transactional efficiency, secure access control are just a few of the many benefits that accrue to the use of biometrics.
There is concern from both industry and government that laws throttling the use of biometrics are not in the public’s best interest but work in opposition to it. Laws that impose class action penalties for mere procedural violations could cause a raft of unintended and undesirable consequences. Some outcomes to consider are:
- Will laws such as BIPA can end up discouraging the use of biometrics exposing business and the public to higher levels of fraud and theft than would otherwise be possible with the presence of biometrics?
- Will jurisdictions that impose restrictive sanctions on the use of biometrics discourage innovation and dissuade tech firms and their customers from investing in those localities?
- Moreover, will such jurisdictions become a litigation haven for opportunistic legal firms that become the sole beneficiaries of laws originally conceived to promote the welfare of the community?
Learning and Applying the Lessons from BIPA
In response to the flurry of laws suits, industry coalitions representing technology companies and retailers have worked closely with legislatures to temper legislation governing the use of biometrics.
The Washington and Texas laws might be the best examples of how industry has influenced legislation in an attempt to protect the public from poorly conceived biometric implementations while encouraging their use for the benefits they provide. These laws are more even-handed versions of BIPA. They still place reasonable limits on the use of biometric data but reserve enforcement powers for the State Attorney General.
Complying with Current Laws and Preparing for Future Legislation
There is a growing number of Federal and State laws currently being considered and some will certainly be signed in to law at some point in the future. Future legislation will likely continue to require informed consent for biometric data capture, management, usage, and disposal policies. It is fairly straightforward to protect the advantages that biometrics provide to your organization now and in the future. To collect or capture a person’s biometric information, you must first:
- Inform the person in writing that their biometric identifier is being collected;
- Inform the person in writing of the specific purpose and length of term for which their biometric information is being collected, stored, and used;
- Inform the person in writing when and how their biometric information will be disposed of; and
- Receive a written release executed by the person.
Disclaimer: This blog is provided for general information purposes only.
Each commercial entity is advised to undertake a review of its own use with any applicable local, state or other industry regulation.
Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.