2024 Legal Articles
      Back to home
      1. Help Center
      2. 2024 Legal Articles

      Biometric Data Protection: A Growing Trend in State Privacy Legislation

      This article is about the rise of state laws protecting biometric data. It covers vulnerabilities, key laws like Illinois’ BIPA, and best practices such as informed consent and data protection, highlighting the growing need for privacy safeguards.

      The use of biometric data as a means of securing technology is widely viewed as a more robust and convenient method of identity authentication, particularly when compared to such practices as username-password combinations or physical security badges. However, this security method is also uniquely vulnerable to cybersecurity threats targeting the highly sensitive data (fingerprints, DNA, facial scans, etc.) being collected and stored, which raises a number of important legal and privacy concerns. For instance, if a database of biometric data is hacked, who is responsible? What if an employee does not want to their biometric data to be used as a key to unlock an employer’s computer systems? Can biometric data from a fitness device be used to determine eligibility for healthcare or insurance coverage?

      Protecting biometric data is one of many issues facing regulators in the U.S., primarily at the state and local level where significant privacy legislation is being enacted in the absence of a comprehensive federal privacy law. Although 12 states have now adopted data privacy laws, only three states and one city - Illinois, Texas and Washington and New York City – currently have specific biometric privacy laws on the books2. And of those, only Illinois has a private right of action, making it a more potent and potentially impactful law. Further, unlike Texas and Washington, Illinois does not restrict its scope to commercial uses of biometric data only. 

      Overview of Biometric Privacy Laws in the U.S.


      First, it may be helpful to level set on the term ‘biometric data.’ A commonly accepted definition is that of the EU’s General Data Protection Regulation (GDPR), which defines it to include any personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.

      Currently, there are 4 state and local laws in the U.S. which specifically address biometric data:

      • Illinois’ Biometric Information Privacy Act (BIPA), adopted in 2008, is one of the first laws in the nation to regulate the use of biometric identifiers and biometric information. It is fast becoming a blueprint for other states; its key provisions are reviewed below.
      • Texas’ Capture or Use of Biometric Identifier Act (CUBI), passed in 2009, essentially restricts the use of biometric data for commercial purposes unless notice and consent is obtained from the affected individual.
      • In Washington, two laws are currently in effect. The Washington Biometric Law prohibits the use of biometric data for commercial purposes, while the 2023 My Health, My Data Act offers protections similar to those in the BIPA or personal health data not covered by HIPAA.
      • At the local level, New York City has a biometric privacy law in effect, which applies only to the collection of customer biometric information.

      Additional Regulation via State Consumer Privacy Laws


      In addition to specific biometric data laws, a number of states address the use of such data within their consumer data privacy statutes3, deeming it “sensitive information” to which the most stringent protections will apply. 

      Generally speaking, these laws require entities collecting and using sensitive biometric data to notify individuals at the time of collection4 of the following:

      • the organization collects, stores or uses biometric information;
      • the purposes of such actions; and
      • how long the organization uses or stores the biometric information.

      Additionally, some consumer privacy laws may also require such entities to: 

      • Process only the limited amount necessary for the purpose; and
      • Obtain the consent of the individual for the use and collection of the sensitive data biometric identifiers or biometric information.

      Finally, it is worth noting that some laws, such as the CPRA, include private rights of action. 

      A Closer Look at Illinois’ BIPA

      Illinois is considered a leader in biometric data protection; and the BIPA is being used as a blueprint for other states considering similar protections. As such, it is worth exploring in greater detail.

      Key Definitions

      Under the BIPA, a “biometric identifier” is defined as a fingerprint or retina or iris scan; and “biometric information” is any information used to identify an individual that is based on that person’s biometric identifier.

      Scope

      Generally speaking, the law prohibits the collection of biometric data unless an entity first informs the subject that the information is being collected, provides the reason for the collection, and obtains a release from the subject for the use of the information. Further, if that information is to be disclosed to another party, the entity must obtain the subject’s consent for the disclosure or redisclosure. In other word, informed consent is required by BIPA.

      Service providers receiving biometric data are also obligated not to use such information for any reason other than the stated contractual purpose and to delete the data after use. And in the employment context, BIPA requires employers to obtain both informed consent and a written release executed by an employee as conditions of employment.

      Informed Consent Requirements


      In a recent case before the Illinois Supreme Court5, the court held that informed consent is required each and every time biometric information is collected. Under BIPA, informed consent requires both notice and receipt of the subject’s release. Specifically, an entity must:
      • Notify each individual or their authorized representative in writing:
        • that the organization collects or stores biometric identifiers or biometric information;
        • the purposes for collecting, storing, and using the biometric identifiers or biometric information; and
        • how long the organization uses or stores the biometric identifiers or biometric information.
        • The foregoing is usually accomplished by reference to a privacy policy and terms of use which spell out how personal data is used.
      • Receive the individual's or their legal representative's written release to collect biometric identifiers or biometric information.

      Mandatory Policy and Security Measures

      In addition to requiring consent, BIPA requires entities using biometric data to develop a publicly available written policy that includes a retention schedule and guidelines for permanently destroying the biometric identifiers and biometric information when the initial collection purpose no longer exists or within three years of an individual's last interaction with the private entity, whichever is earlier. Security measures designed to safeguard the information are also required.  


      Best Practices for Collectors of Biometric Data

      Entities that collect and use biometric data - whether for their own use or as a service provider - are encouraged to familiarize themselves with any applicable laws relating to this practice. Although specific requirements will vary from state to state, the following elements are generally considered best practices for biometric data protection:

      • Giving notice at the time of collection and obtaining verifiable consent (as proof that the individual knew and agreed to the collection, if needed in the future)
      • Providing a clear statement of purpose for the collection
      • Limiting use of biometric data to only the disclosed purpose
      • Storing data for the least amount of time possible  
      • Updating privacy policies and terms of use to ensure biometric data measures are included and easily understood

      Organizations also may wish to review existing cyber liability insurance policies to ensure coverage of the use and collection of biometric data, particularly in light of the proliferation of new laws and private rights of action. 

      Special Considerations for Employers: 

      Employee data is typically treated differently than consumer data under the law by virtue of the fact that employees essentially must allow employers to process their data. GDPR set the standard here requiring employers to have a “legitimate interest” in order to process employee data and disallowing the use of consent as a basis for processing. Following suit, Illinois’’ BIPA requires a written release in addition to informed consent. 

      For this reason, employers collecting biometric data should be thoughtful in how they approach employees. For instance, In addition to procuring a written release signed by employees, providing written notice at the time of collection (which states the reasons for the processing) and requesting employee acknowledgement of the collection for each stated use are now considered best practices. Offering employees security options that do not include the use of biometric data is also appropriate.  

      Conclusion

      The proliferation of biometric security measures has been a double-edged sword for businesses. Despite offering convenience and robust protection, they are also ripe with the potential for abuse and misuse. The introduction of biometric privacy laws by several states is a clear sign that regulators recognize the risks and the need to protect citizens and their highly sensitive personal data. 

      As with any type of personal data collection, organizations cannot go wrong by adhering to the basic principles of privacy by design, which are: collect only what is necessary to the purpose and delete any data securely when no longer required. 

      If you have questions about biometric privacy laws or privacy issues in general, please contact clientsuccess@outsidegc.com.

       

      Credits

      1. Biometric data subject to HIPAA is not addressed in this post. 
      2. The New York Biometric Privacy Act is currently under consideration by the New York State Senate and Assembly. 

      3. California (in both the California Consumer Privacy Act and California Privacy Rights Act), Virginia, Colorado, Connecticut and Utah. Delaware, Texas, Oregon, Montana, Iowa and Florida are expected to have similar laws coming into effect in 2024 and 2025. 

      4. Utah does not require prior consent but does require that an individual have the opportunity to opt out of the collection and use of the biometric information.
      5. Cothron v. White Castle (2023 IL 128004, February 17, 2023)