www.idox.ai
Back
Biometric Data Privacy Regulations - Top Laws and Acts to Follow Statewide

Biometric identifiers are gaining increasing traction in several industries (education, healthcare, retail, finance, manufacturing, technology, etc) all over the world. This can explain why regulations such as the GDPR, CCPA biometric data laws, and others capture biometrics in their provisions.


Indeed, the biometrics trend is growing, thanks partly to the argument that they are more stable over time. Biometric authentication also provides a higher level of security than traditional authentication methods such as passwords, PINs, or security tokens. This makes it extremely tough for hackers to bypass biometric authentication systems.


But as biometrics help streamline and strengthen the identification process, biometric data privacy concerns may arise. To check these potential biometric privacy risks, many US states have evolved biometric privacy laws in one form or another.


What Are Biometric Identifiers?

A biometric identifier is any unique measurable behavioral or physiological trait, attribute, or characteristic that describes or helps identify an individual. Essentially, biometrics work by leveraging these unique characteristics to improve personal authentication via easier, quicker, and more secure processes. Common examples of biometrics include voice, fingerprint, palm vein, face recognition, palm print, hand geometry, iris recognition, typing rhythm, gait, and DNA.


According to the US FTC, the term “biometric information” refers to:

“Data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. Biometric information includes but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric information also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived. By way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.”


Any Federal Biometric Privacy Laws in the US?

​No single comprehensive federal law controls the collection and use of personal data in general or biometric data in particular in the US. In the absence of a uniform federal regulation on the use of biometrics, the Federal Trade Commission (FTC) has tried to ensure fair biometric practices for consumers. For instance, a policy statement issued by the agency on May 18 2023 states that the Commission is:

“committed to combating unfair or deceptive acts related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.”


States With Biometric Privacy Laws

When it comes to biometric privacy laws by state, the Illinois Biometric Information Privacy Act (BIPA) is the first and oldest biometric regulation in the United States. Enacted in 2008, it is the “gold standard” of US state biometric privacy laws and regulates the collection and storage of biometric information in Illinois. BIPA applies to all private entities that operate in Illinois, no matter where they are headquartered or incorporated.


The Illinois Biometric Information Privacy Act (BIPA)

Under BIPA, private entities that use biometric information are mandated to have a written policy, schedule, and guidelines for the collection, retention, and destruction of such information. BIPA severely limits an entity’s right to disseminate biometric information. For instance, it requires advance disclosure and a written release from the subject or employee whose information is to be collected.


Emerging Biometric Privacy Laws in Other States

Since the commencement of the 2023 legislative session, no fewer than 15 biometric privacy acts and law proposals have been put forward in 11 states (Washington, Vermont, Tennessee, New York, Missouri, Mississippi, Minnesota, Massachusetts, Maryland, Hawaii and Arizona). These biometric privacy law bills aim to stipulate new requirements on how organizations collect, handle, protect, use, and disseminate biometric information.


Regulatory Frameworks for Biometric Data

Presently, the collection and use of biometric information in several states is regulated by a patchwork of legal frameworks. This is the situation in states such as California, Virginia, Colorado, Utah, and Connecticut where comprehensive state privacy laws regulate biometric information as a form of “sensitive” information. In California, for example, what can be termed California biometric privacy law is found in the state’s widely known California Consumer Privacy Act (CCPA).


Legal Consequences and Impact on Organization

The CCPA regulates biometric data by including it in its definition of personal information. It defines biometric data very broadly to include “physiological, biological or behavioral characteristics, including … DNA[,] that can be used … to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”


Biometric Privacy Laws By State

Some states and municipalities restrict the use of certain forms of biometric data in narrower use cases. A good example is the 2022 law in Colorado that restricts the use of facial recognition technology by state and local government agencies.


Most importantly, though states such as Washington and Texas have their own state biometric privacy laws in place, Illinois’s Biometric Information Privacy Act is the only such law that permits a private right of action capable of causing substantial liability for companies. Indeed, the seminal 2019 judgment by the Illinois Supreme Court [in Rosenbach v. Six Flags Entertainment] expressly ruled that an individual does not need to suffer actual or concrete harm in order to sue under BIPA but that the mere violation of the Act is enough.


Liability and Penalties Under Biometric Privacy Laws

The liability or penalty faced by defaulters ranges from $5,000 per violation for intentional or reckless violations to $1,000 per violation for negligent violations (or, in either case, actual damages). In October 2022, a federal court in the Illinois Northern District awarded a plaintiff class $228 million in damages in a BIPA suit against BNSF Railway.


Additionally, the Illinois Supreme Court recently came up with a couple of decisions that expand the scope of BIPA legal exposure even further. On February 2 this year, the Court ruled [in Tims v. Black Horse Carriers, Inc.] that individuals have five years [instead of one] after an alleged BIPA violation to institute claims under the private right of action. And on February 17 [in Cothron v. White Castle System, Inc.] the Court ruled that “a separate claim accrues under [BIPA] each time a private entity scans or transmits an individual’s biometric identifier or information in violation of [the Act].”


Recent Developments in Biometric Privacy Case Law

Majority of 2023 biometric privacy bills that have been introduced by states to date are modeled after the Biometric Information Privacy Act, including the provisions for private rights of action and damages. Therefore, much like BIPA, these bills have the potential to significantly raise the compliance risk and liability exposure of organizations that collect and process biometric information. To avoid any unwanted consequences, such organizations (especially those that deal with the biometric information of Illinois residents and any other states considering BIPA-like legislation) will have to make sure that they handle and process data strictly according to the requirements of BIPA and laws designed to work like BIPA.


Struggling With Compliance?

As noted above, non-compliance with biometric privacy laws can lead to substantial penalties. But non-compliance shouldn’t be your case when an organization like iDox.ai has the human and technological resources to help you easily achieve compliance with laws with biometric components such as the GDPR, CCPA, and CPRA.


Don't let non-compliance hurt your business! Use our comprehensive data discovery platform designed to simplify compliance while empowering you to protect sensitive data and build trust with your customers. Request a demo today to learn more about quickly achieving compliance with iDox.ai!

 

You Might Also Be Interested In