There has been a lot of press lately regarding concerns around the use of biometric technology and privacy largely fueled by recent class action lawsuits aimed at high-profile companies like Google, Shutterfly and Facebook.
Although only a handful of states have enacted regulations governing the use of biometrics for commercial purposes, these regulations, combined with several high visibility law suits, have alarmed businesses that are using, or considering the use of biometrics.
The reality is that the privacy practices that these laws mandate are quite manageable and can be readily implemented by any organization.
What is Illinois Biometric Information Privacy Act (BIPA)?
- Permits limited right to disclose the biometric data
- Subject must consent
- Disclosure completes financial transaction request by the individual
- Disclosure is otherwise required by law
- Mandates protection obligations and retention guidelines for the biometric data
- Creates a private right of action for individuals harmed by violators of the law
- Requires businesses to have written policy stating data retention schedule and data destruction
- Businesses cannot store data for longer than the earlier of three years from last transaction
State Biometric Regulation at a Glance
Illinois was the first state to enact commercial biometric regulation in 2008 with its Biometric Information and Privacy Act (BIPA).
BIPA requires companies to obtain a person’s informed consent before collecting, capturing or purchasing a person’s “biometric identifier” or “biometric information”. They also must provide written notice stating the purpose for collecting it and for how long it will be used or stored.
Developing Trends in Legislation
Since the introduction of BIPA in 2008 only two other states, Texas and Washington, have enacted legislation governing the collection and use of biometric data for commercial application, in 2009 and 2017, respectively.
There is a growing trend amongst state representatives seeking to balance consumer privacy rights with the rights of companies developing and adopting new technologies.
A recently enacted Washington law provides a good example of how legislators are working with industry to enact common sense biometric regulations.
The Washington law is essentially a modified version of the Illinois law, placing fewer limits on the use of biometric data while narrowing consumer consent requirements and allowing certain exemptions for existing data stores. Highlights of the law include:
- Privacy exemptions for certain photos
- Restricts the right of legal action to the State’s Attorney General
- Prohibits individuals from suing
- Allows companies to use exempted fingerprints, eye scans or facial photos
Other legislative activity demonstrates the measured approach states are taking to regulate the use of biometrics. In most cases, proposed legislative attempts have been rejected, as in the cases of California, Connecticut, Alaska, New Hampshire and New York.
The Way Forward with Biometric Regulation
Complying with laws on the books in Illinois, Texas, and Washington regarding commercial collection of biometrics is well within the reach of most businesses. The bottom line is that existing legislation does not prohibit the voluntary fingerprinting of employees, but instead requires common-sense privacy practices.
Among others, some general guidelines for conforming to these laws are to provide non-biometric alternative means of access, disclose the reason for fingerprinting, obtain consent and to destroy biometric data after the employee no longer works for the company—key principles already embodied in the International Biometrics and Identity Association (IBIA) best practices recommendations for commercial biometric use.