2020 Biometric Data Update

Written by: Brett Lawrence, Esq.

The utility of biometric data is more prevalent than it has ever been, primarily because developing technology has created a broad swath of convenient uses for it. It can help law enforcement authorities quickly target wanted individuals and also secure a business’ access to proprietary information. The best and most relatable example being the Apple iPhone’s fingerprint and facial recognition software.

However, with such valuable information comes heightened privacy concerns. Unlike the typical information businesses collect from its consumers and employees—name, email address, phone number, etc.—biometric data broadly encompasses an individual’s immutable characteristics and even behavioral patterns. Aside from data breaches, which are invariably a cause of concern for data protection, the prevailing news topic lately has been the legality and ethicality of the collection and use of biometric data.

European Union

Last month, news emerged that Hamburg, Germany’s privacy commissioner was requesting information from the New York‑based facial recognition start-up company, Clearview AI, regarding its collection and processing of individual biometric data in the city. The investigation stemmed from a complaint filed against the company in February stating that Clearview was collecting images of the city’s citizens without their consent. The applicable privacy law is the European Union’s General Data Privacy Regulation (“GDPR”). The GDPR defines “biometric data” as the “physical, physiological or behavioral characteristics of a natural person,” that can lead to the confirmation of an individual’s identity, such as a photograph. The GDPR generally forbids the collection of biometric data absent, among other things, explicit consent or a showing of a vital interest or legitimate activity in doing so.

Recall that in January of this year, the New York Times reported that Clearview was mass collecting billions of unique images with unfettered discretion of individuals from social media platforms and providing the database to more than 600 law enforcement agencies. To date, Clearview has not complied with the privacy commissioner’s request and is on record arguing that it does not fall under the GDPR’s jurisdiction. Unless it complies with the investigation, Clearview may be fined €10,000 for each of the privacy commissioner’s seventeen questions that are unanswered.

United States

In a more benign example, Little Caesars Enterprises Inc. is currently facing a federal class action lawsuit for violating Illinois’ biometric data law, the Illinois Biometric Information Privacy Act (“BIPA”). Similar to the GDPR, BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA allows the collection of biometric data if (1) the collector gives written notice to the recipient of the purpose for collecting the information and the length of time it will be stored, and (2) the recipient provides written consent.

The lawsuit is brought by employees who claim the long‑time pizza franchise failed to provide the statutorily‑required notice and receive written consent before collecting their fingerprint data. The data was collected from the company’s biometric time clock system that requires each employee to scan their fingerprint. The lawsuit is still pending, and we will provide updates as the case further materializes.

Laws Regulating Biometric Use

Illinois
Illinois was the first state in the country to pass a biometric privacy law. Organizations (that use biometric data) doing business in Illinois:

• Must obtain informed consent from subjects before collecting biometric data
• May not profit from biometric data
• Must take all necessary steps as mentioned in the statute to protect and retain data
• Have limited rights for disclosure

A plaintiff who is harmed by a violation of the law may be eligible to receive $1,000 per negligent violation or $5,000 per intentional violation.

Texas
Tex. Bus. & Com. Code §503.001 prohibits individuals/businesses from capturing a biometric identifier without prior consent. The law also requires businesses to refrain from selling biometric data without consent. They must use reasonable care in storing biometric data and should destroy data within a reasonable time (no later than one year from the date the information was collected, unless otherwise specified).

Washington
Washington’s biometrics law came into effect in 2017. It regulates the way individuals and non-government entities are able to collect, store, and use biometric information.

Individuals and organizations in Washington are prohibited from collecting data for commercial purposes without obtaining consent. Businesses that want to collect biometric data must have a mechanism to prevent the unlawful use of biometric identifiers for commercial purposes.

Complying With Biometric Laws

• Have a process in place to store, manage, and destroy biometric data
• Obtain explicit consent before collecting data
• Make sure the privacy policy section on your website includes information about policies related to storage, collection, and use of biometric data

Conclusion

As seen briefly in these two instances, biometric data can be incredibly convenient for multiple industries. But with the sensitive nature of the information that biometric data entails, governments and individuals alike are going to continue to enforce strict protocol on the collection and use of such data.