Commercial Biometric Data Regulation
Biometric identification systems are rapidly increasing in use advances in sensors, readers and software make physical features easily measurable. Biometrics are measurements of a person’s physical being. Fingerprints, retinal or iris scans, hand geometry, facial recognition, gait analysis, voiceprint reading, and keystroke analysis are all simple biometric ways to identify a person.
Considering accuracy and ease of use, it should be no surprise that commercial biometrics use has exploded. Biometric data is being put into validation methods for may uses.
Banks regularly use voiceprint to authenticate account holders when they call customer service lines. MasterCard is using “selfies” instead of passwords for cardholders to sign in to their accounts using face prints. Amazon filed a patent for a program that will allow users to authorize purchases through special selfies.
Biometrics identification also has pitfalls. A person’s biometric data cannot be replaced or changed like a password or credit card number. You only get one set of fingerprints, retinal patterns, and face print. Once compromised, the biometric measurement may be lost as an identifier. Biometric identifiers can be collected and used surreptitiously. Faces and gaits can be measured in a crowd or at a doorway, voices can be recorded from phone calls. Biometric information allows individual identification more easily than traditional identifiers do. All it takes to identify an individual is to collect a face print once and use it forever.
This may lend itself to a high level of government surveillance. The FBI is developing the “Next Generation Identification” program, which will collect fingerprints, iris scans, DNA profiles, voiceprints, palm prints, and photographs to replace its current identification program, which uses only fingerprints. The FBI’s new program may work with biometric databases maintained by other, presenting many possibilities for matching identifiers.
Given these advantages and risks, legal limitations have begun. This memo examines the laws that govern use of biometric data and outlines what businesses should do if implementing validation tools using biometric data.
PRIVACY LAWS SPECIFICALLY TARGETED TO BIOMETRIC INFORMATION
Some states have enacted legislation specifically to regulate third party use and collection of individual biometric information. State laws on biometric information fall into one of three categories: (1) laws with respect to the collection and use of biometric information belonging to students; (2) laws dealing with collection by government actors; and (3) laws targeting the collection and use of biometric information by businesses.
Student Biometric Information
California law prohibits operators of websites geared towards K-12 school purposes from selling students’ biometric data and restricts their use. Delaware has a similar law. In North Carolina and West Virginia, student biometric data may not be kept in student data systems.
Illinois law prohibits school districts from collecting biometric information from students without parental consent, and they must stop using such information when the student graduates, leaves the school district, or when the district receives a written request from the student and all biometric information must be destroyed within 30 days of discontinued use. The school district may only use biometric information for student identification or fraud prevention and may not sell or disclose to third parties without parental consent or pursuant to a court order. Arizona, Wisconsin, Louisiana, and Kansas have similar laws. Colorado law prohibits its Department of Education from collecting student biometric information unless required by state or federal law. A Florida law goes further by prohibiting schools from collecting, obtaining, or retaining biometric information from students, their parents, or their siblings.
Government Actors Collecting Biometric Information
Missouri, Maine, and New Hampshire laws prevent state agencies from collecting, storing, or using individuals’ biometric data in connection with ID cards or driver’s licenses.
Neither these laws nor any existing laws prohibit government actors from collecting or using biometric information in connection with law enforcement, immigration, border security, or national security.
Collection of Biometric Information by Businesses
The first state law to address business’ collection of biometric data was the Illinois Biometric Information Privacy Act (“BIPA”), followed by Texas’s biometric law. BIPA lays out a comprehensive set of rules for companies collecting biometric data and creates a private right of action for Illinois residents whose biometric data is collected or used in violation of its rules. BIPA has five primary elements.
Informed Consent Prior to Collection Required
BIPA prohibits a business from collecting or receiving biometric data without first notifying the individual in writing. The notice must include the purpose for the collection, and how long the data will be used or stored, and the business must receive the individual’s written consent to such collection. The form and content of the written release is not laid out, and BIPA gives no guidance as to whether electronic consent is allowed. One might expect “click-wrap” agreements would be written consent under BIPA. The written consent requirement is not likely satisfied with “browse-wrap” agreements which do not require any affirmative action to accept the terms.
Profiting from Biometric Data Prohibited
BIPA prohibits a business from selling or otherwise profiting from biometric data it collects or stores. The law uses the vague language “otherwise profit” from the use of the biometric data. It is silent as to how direct the link must be between the profit and the data to qualify as a violation.
Limited Right to Disclose
The Illinois law prohibits a business from disclosing an individual’s biometric data unless (i) the subject consents; (ii) the disclosure completes a financial transaction requested by the individual; (iii) the disclosure is required by Illinois law, municipal ordinance, or federal law; or (iv) the disclosure is required by a valid warrant or subpoena.
Mandated Protection Obligations and Retention Guidelines
BIPA requires a business to protect biometric data in the same manner it would other sensitive and confidential information in its possession, using the reasonable standard of care within its industry. In addition, the Illinois law requires a business in possession of biometric data to have a publicly available written policy stating the business’s retention schedule for the data and rules governing its destruction and the business must adhere to that policy. A business may not store biometric data for longer than the earlier of three years from the individual’s last interaction with the company or when the initial purpose for collecting the data has been fulfilled.
Private Right of Action for Individuals Harmed by BIPA Violators
BIPA gives any person harmed by a business’ violation of BIPA a private right of action and entitles a prevailing party to statutory damages for each violation equal to the greater of $1,000 or actual damages for negligent violation of BIPA or the greater of $5,000 or actual damages for intentional or reckless violation of BIPA.
BIPA went largely unnoticed after its enactment, until a series of lawsuits were brought against businesses that allegedly collected and used biometric data belonging to Illinois residents in violation of BIPA. These class action lawsuits were filed against Facebook and Shutterfly. Facebook allegedly violated BIPA with its photograph tagging suggestion feature, which captures and stores facial features, without consent, to enable users to “tag” their friends in photographs. The plaintiffs allege they were not Facebook users at the time their face prints were collected and, as such, did not consent to the collection of such biometric data that may have been described in Facebook’s click-wrap agreement for the creation of a Facebook account.
Similarly, a plaintiff claims that Shutterfly’s creation, collection, and storage of millions of face templates from individuals whose images appear in photographs submitted to Shutterfly, many of whom are not Shutterfly users, is a violation of BIPA’s informed consent requirement. The court has allowed the case against Shutterfly to proceed.
BIPA appears to be the biometric law to copy. The Texas biometric law contains similar substantive provisions to BIPA, namely requiring informed consent before a business can capture a biometric identifier, prohibiting a business’ sale of biometric data with a few exceptions, and laying out security and retention requirements. Similar laws are bending in Idaho, Alaska and Washington state.
THE FTC AND BIOMETRICS
The FTC has issued recommended best practices for companies using facial recognition technology. It has stopped short of creating rules or laws in this space. The FTC recommends companies implement “privacy by design” by (i) maintaining reasonable data security protections for biometric information; (ii) establishing and maintaining appropriate retention and disposal practices for biometric information; and (iii) considering the sensitivity of biometric information when designing facial recognition technologies. The FTC also suggests that companies employing facial recognition technologies should increase transparency of their methods and provide consumers with choices, like the opportunity to opt out of collection of their biometric information. The FTC specifically advises social networking companies to give consumers a clear notice, apart from privacy policies, that it collects face prints, how the technology works, and how the company will use the data. The FTC also advises that social networking companies should give consumers an easy way to opt out of collection and ability to turn off the facial recognition feature at any time and have the company delete the biometric data already collected.
The FTC also recommends that companies obtain express consent before collecting or using face prints in two situations: (i) before using an image or face print in a materially different way than the company represented at the time of collection; and (ii) when using a face print to identify anonymous images of a subject to someone who could not otherwise identify the subject, as in public places. The FTC Recommendations mirror BIPA’s requirements, without going as far as to advise against disclosure to third parties.
Though the FTC Recommendations are only guidelines, the FTC hints that a company’s failure to properly notify subjects of the use of facial recognition technologies could be subject to FTC enforcement actions.
BROAD “UMBRELLA” PRIVACY LAWS UNDER WHICH BIOMETRIC INFORMATION MAY FALL
Many state laws governing data security and breach response include biometric information in their definitions of covered personal information. North Carolina law lists biometric data as an element of identifying information that, in combination with a person’s name, constitutes personal information. This law requires any entity conducting business in the state and maintaining personal information of a resident to take reasonable measures to protect the information against unauthorized access. Such reasonable measures must include proper disposal of the information. A security breach involving a North Carolina resident’s biometric data, if paired with his or her name, would also be governed by the North Carolina law’s data breach notification procedures. Most states’ data breach notification laws will govern unauthorized access to residents’ biometric information, though the inclusion may be vague, and not specifically identify biometric information, like South Carolina’s law, which defines personal identifying information as a person’s name plus other numbers or information which may be used to access a person’s financial accounts or numbers or information issued by a governmental or regulatory entity that will uniquely identify an individual.
U.S. national privacy law is industry sector based. These industry-specific laws also govern private and public actor use of individual biometric information in their governance of financial institutions, educational institutions, commercial entities, and health-care providers.
Financial institutions must comply with the provisions of the Gramm-Leach Bliley Act (GLBA), addressing the privacy of personally identifiable financial and account data. The privacy requirements of GLBA apply to financial institutions, which are essentially any business institutions significantly engaged in financial activities. GLBA’s privacy rule applies to the collection of nonpublic personal information (NPI).
GLBA’s definition of NPI does not expressly list biometric information, but the expansive definition of NPI certainly includes it. NPI is defined as personally identifiable financial information: (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution. Under the FTC’s Privacy of Consumer Financial Information Rule, NPI is personally identifiable information or any list, description, or grouping of consumers derived using nonpublic personally identifiable information. Personally identifiable information is defined by the FTC as any information: (i) a customer provides to a financial institution to obtain a product or service; (ii) about a customer as a result of a transaction between the financial institution and customer involving the financial institution’s products or services; or (iii) otherwise obtained by the financial institution in connection with its provision of services or products to the customer. A consumer’s biometric information collected by an institution could fall under any of these definitions depending on the method and timing of its collection.
Financial laws do not protect consumer biometric data as tightly as many think. GLBA does not prohibit a financial institution from selling or profiting from consumer NPI, including biometric data. GLBA is silent on financial institutions’ collection of NPI. It does have an opt out requirement, but it is with respect to a financial institution’s disclosure, not collection, of NPI. Under GLBA, a financial institution cannot disclose NPI to a third party unless it discloses to the consumer the possibility of the disclosure to the third party, the consumer is given the opportunity to opt out of the disclosure, and the consumer is told how to opt-out. Disclosure to an affiliate is not subject to the notice and opt-out requirements and there is also an exemption for nonaffiliated third party servicers and joint marketers. GLBA has a list of exceptions from its opt-out and notice requirements, including when a financial institution’s disclosure of its NPI to a nonaffiliated third party is to prevent fraud or unauthorized transactions. Because the most prolific use of consumer’s biometric data in the financial industry is for fraud prevention, this exception guts the requirements of notice and opt-out for most financial institutions use of biometric data.
Upon establishing a relationship with a consumer and annually thereafter, GLBA requires financial institutions to provide a notice to consumers describing its privacy policies and providing consumers with the right to opt out of disclosure of some NPI. The notices are required to include the categories of parties to whom NPI may be disclosed, the categories of NPI that are collected, and the methods financial institutions employ to protect NPI. GLBA does not require that notices include the specific purpose for which data is collected and the time period for which the financial institution will store the data. Finally, GLBA requires that financial institutions protect the security and confidentiality of customers' nonpublic personal information by adhering to the appropriate standards promulgated by their respective regulatory agencies or authorities.
The Family Educational Rights and Privacy Act (FERPA) governs the disclosure of students’ biometric information, to the extent it is contained in student records. A student’s biometric record is included in the definition of personally identifiable information, and is a type of information that may be included in students’ education records. As such, FERPA prohibits schools from releasing students’ biometric information without parental consent, to the extent that it is contained in students’ education records, with some limited exceptions.
The health industry has been regulated by detailed data rules since 1996, when Congress enacted HIPAA to regulate the treatment of electronically stored or transmitted individually identifiable protected health information (PHI) by hospitals, insurers, employers, doctors, and pharmacies. If biometric information is collected in the course of treating a patient, it is treated as PHI under HIPAA. Under HIPAA’s Privacy Rule, covered entities may only use and disclose PHI with the individual’s written consent or (i) to the individual; (ii) for treatment, payment, and healthcare operations activities; (iii) with informal permission giving the individual the opportunity to agree or object; (iv) for uses incident to permitted uses; (v) for purposes that benefit the public interest; and (vi) a limited data set may be disclosed for research or public health purposes. Note that the Privacy Rule does not require consent for collection of PHI, just disclosure.
The Privacy Rule does not apply to information that has been de-identified, which may be accomplished by removing all specific identifiers from the PHI. HIPAA lists. Biometric identifiers, including finger and voice prints as an identifier of an individual that must be removed from PHI for de-identification. The HIPAA Privacy Rule also requires covered entities to provide notices of their privacy practices to patients. Among other elements, these notices must describe how the entity will use and disclose PHI. The security rule requires covered entities and their business associates to protect electronic PHI using administrative, physical, and technical security safeguards. Finally, the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) amended HIPAA to require covered entities and their business associates to notify affected individuals and the Department of Health and Human Services in the event of a breach involving unsecured PHI.
HIPAA only protects data collected by certain types of entities for the provision of health care services or payment for those services. It would not affect biometric data collected for identification purposes by a doctor or hospital, or any biometric data collected by a non-covered entity.
The only clear conclusion is that entities using biometric data should watch this rapidly developing legal landscape. Companies may want to err on the side of caution and ensure their notification and consent processes are clear and conspicuous.