Biometric identifiers are the basis of highly secure identification and authentication technologies people and businesses use daily.
The United States does not have a federal privacy law. There are three dedicated biometric privacy statutes in the United States: the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Washington Biometric Privacy Act (WBPA).
These laws define a biometric identifier as a retina or iris scan, fingerprint, voiceprint, or scan of the hand or face geometry. Biometric information, in Illinois law, means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.
Illinois Biometric Information Privacy Act
Of the three laws, BIPA is the only one with a private right of action. The Act says no private entity possessing a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or customer's biometric identifier or biometric information unless the subject consents.
A private entity in possession of biometric identifiers or biometric information must develop a written policy establishing a retention schedule and guidelines for permanently destroying them.
A private entity in possession of a biometric identifier or biometric information must (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care of the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Texas & Washington State
Under Texas law, a person who violates the law is subject to a civil penalty of not more than $25,000 for each violation in an action brought by the attorney general. It does not apply to voiceprint data retained by a financial institution or an affiliate of a financial institution.
Washington state has a carveout for notice requirements under certain circumstances.
Neither Texas nor Washington state provide for a private right of action to be brought.
California
Under the California Consumer Privacy Act of 2018 (CCPA), biometric data is one form of personal information subject to data subject access rights. Effective January 1, 2023, a subcategory of sensitive personal information now includes the processing of biometric information for the purpose of uniquely identifying a consumer. Consumers have a right to limit the use and disclosure of sensitive personal information to specific business purposes, such as helping to ensure data security and integrity, performing services on behalf of the business, or undertaking activities to verify and maintain or enhance the service or device owned or controlled by the business.
Biometric Litigation
Innovative technology in industries like transportation and beauty has prompted new potential violations of biometric privacy laws.
The transportation and logistics industries are active users of telematics. In many instances, dash cameras are installed in vehicles and, with the use of AI, can interpret objects on the road and inside the vehicle cab, including driver behaviors. Transportation companies use this tool to arm fleet managers against potentially fraudulent claims or increase awareness about risky driving. Although the use of video telematics is not a new concept, this new use of this technology has been the focal point of recent litigation.
Today, buyers can buy a wide variety of products online, with many retailers adopting virtual try-on technology to close the gap between the in-person and virtual shopping experiences. Retailers use desktop or mobile cameras to allow a consumer to try on a product. Litigation has been filed where a retailer allegedly violated Illinois law by allowing users to try on eyewear virtually. However, it did not (1) disclose that the try-on tool collects and stores a user's facial geometries and (2) get users' consent to collect their biometrics. How a retailer uses the try-on technology may impact the analysis of whether a violation occurred.
Emerging Technologies
AI is the simulation of human intelligence processes by machines. AI developers use algorithms and statistical models to train the AI system to generate conclusions by ingesting significant volumes of data collected from various sources. As biometrics are most often used in identity authentication, companies are developing ways to marry AI and biometrics.
Metaverse is a virtual world or a shared virtual space where physical and virtual realities converge. This allows users to socialize, experience new forms of entertainment, and engage in commerce. Developers can create versions of this technology, and users can engage virtually using devices like virtual reality headsets. These headsets can capture and process biometric data, like iris scans, pupil dilation, heart rate, and voice analysis.
Retail companies are likely to be frequent entrants into the metaverse, using the technology and virtual environment to interact with consumers and enhance their experience. How consumers interact with the virtual shopping experience may implicate the use of biometric data. Natural language recognition AI could be leveraged with voice data to train AI systems to develop more realistic customer interactions.
Comments