Biometric Information Privacy Laws
- As biometric data use in society becomes more ubiquitous, so have the statutory and judicial responses concerning their use and the related privacy and contract law issues.
- To minimize financial and legal risks organizations should proactively address the attendant legal risks of biometric data with customers, employees, and third-party vendors.
One of the most famous scenes in the movie “Minority Report” features Tom Cruise’s character Jon Anderton walking through a shopping mall as discrete scanners using iris recognition technology are hard at work, scanning his (and other shoppers’) irises. The scanners identify everyone individually to create a personalized shopping experience through targeted video screen advertisements that we can see change and move as Tom does. Far-fetched fictional technology? In the past 17 years the potential uses for biometric technology have grown.
This post briefly describes some biometric business applications presently in use, and provides a brief overview of some legal developments regarding biometrics privacy.
What Are Biometrics?
Biometrics measure and analyze people’s unique physical and behavioral characteristics. Numerous and rapidly evolving biometrics business applications include identification, access controls, testing, health care. Like all technology, biometrics present both many beneficial applications for businesses and individuals, as well as legal risks.
Examples of biometrics include an individual’s DNA, fingerprints, eyeballs/irises/retinas, voiceprints, handprints, facial geometry, sleep, health, or exercise data, and keystroke, gait, or other physical patterns. Some biometrics, like fingerprints, DNA, and retinal blood vessel patterns, generally do not change over time. Others, like facial geometry or gait, can change over time due to age, illness, or other factors, and thus may adversely impact the accuracy of the biometrics. Also, current biometric readers may not accurately recognize all biometric characteristics. The uniqueness and potential permanence of biometrics are advantageous from a security perspective to accurately identify and distinguish individuals, plus you do not have to worry about forgetting your biometric password.
How Are Biometrics Used in Business Today?
Businesses presently use, and will continue to use, biometrics (and related technologies) in a wide variety of applications to improve their business processes and their customer and employee interactions, conveniences, and trustworthiness. Some examples include:
- Workforce management. Consider a modern update to the time clock for logging in and out of work. Instead of workers having to wait in line to retrieve a time card, punch the card into a time-stamping machine, and then replace the card into its slot, biometric readers allow workers to simply tap their fingerprints onto a biometric fingerprint scanner. This can prevent buddy time-punching and time theft, and increase accountability and security. See, Dixon v Washington and Lee Smith Community-Beverly, et al., 2018 WL 2445292 (USDC IL ND, 20180531).
- Hospitals. Although credit-card data breaches make for major headline news, medical identity theft events plus mistakes caused by hospital physicians and staff mixing up patients’ files are increasingly common, costly, and potentially life-threatening. Biometric technologies can help hospitals and other medical providers avoid these risks.
- Banking. The banking industry has been looking into and adopting biometric technologies to help reduce identity theft and improve efficiencies and customer experience in the banking process.
- Retail. Tanning salons, health clubs, or similar member-model-based businesses allow their customers to easily enter and use the business facility by using a fingerprint scanner for customer identification at any of the businesses’ locations. See, Sekura v. Krishna Schaumburg Tan, Inc., 2018 Ill. App. (1st) 180175 (Ill. App. Sept. 28, 2018).
- Automotive. Biometrics can be used instead of key fobs to enter and operate an automobile, or to recognize whether the driver is becoming impaired (e.g., tired or texting), which could put the occupant(s) of the vehicle and other people and vehicles around it at risk.
However, if compromised, the same characteristics and advantages of biometrics present a potential threat to the individual owner of the biometric markers and risks to the businesses that use, and are the stewards of, biometric data.
Biometric Information Privacy Statutes
Biometric Information Privacy (“BIP”) is permanently ingrained into the privacy legal risk matrix confronting organizations and individuals, and is under review by state and federal legislators and regulators in the United States and in the international community, and in developing legislation. October 2018 marked the 10th anniversary of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., a comprehensive BIP statute that has become a model for some state legislative bodies, and particularly since the January 2019 Illinois Supreme Court decision in Rosenbach v Six Flags Entertainment Corporation, 2019 IL 123186, has given rise to a number of class-action lawsuits against businesses.
BIPA sets forth a fundamental privacy concept concerning biometric data: “The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” 740 ILCS 14/5(g). This concept is applicable to most BIP legislation and analysis when viewed in light of the unique permanence of biometric data. In varying forms, this concept is seen in enacted, and in pending (or considered), legislation in multiple U.S. (and international) jurisdictions including in the U.S.: Arizona, California, Colorado, Delaware, Florida, Georgia, Iowa, Louisiana, Massachusetts, Michigan, Texas, Vermont, Washington, and Wyoming. Suffice it to say that BIP must be considered as part of the privacy legal risk matrix of any business or government agency using biometric data.
Biometric data and devices and applications that collect, process, and analyze biometric data are now, and will become even more, ubiquitous. An increasing number of businesses in a variety of industries will increasingly confront BIP issues in their business processes as they begin to realize and recognize the return on investment biometric technologies can provide to the business. The bottom line is that these businesses, governments, and their professional advisers must understand and proactively address the legal risks attendant to biometric information and the use thereof with customers, employees, and third-party vendors. For some additional information, please read my article titled “Biometric Information – Permanent Personally Identifiable Information Risk” available at http://bit.ly/WERNICK_BIP-ABA_20190702.
20200112 Copyright © 2020 Aronberg Goldgehn & Alan S. Wernick. All rights reserved.