Biometrics: A Fingerprint for Privacy Compliance, Part I

In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected.  This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target.  In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.

Background

Biometrics include retina or iris scans, fingerprints, voiceprints, scans or records of hand or face geometry, or any other information based on such items that is used to identify an individual. So far, two states (Texas and Illinois) have laws that focus on biometrics privacy.  Texas and Illinois require:

• Notice and individual opt-in consent before obtaining biometric data. Illinois also requires a written notice of specific purpose, length of collection/use/storage, and a written release.
• No commercial use (i.e., profit) even if the individual is a customer (Illinois only).
• Retention limited and destruction required after purpose has expired, and in no event after three years in Illinois and one year in Texas. Illinois also requires a publicly available written policy regarding retention and destruction.
• Limited disclosures, without consent unless pursuant to a requested financial transaction, applicable law, or in response to a warrant.
• Entities must protect it using industry standard reasonable care, at least as much as entities protect other confidential and sensitive information they possesses.

Illinois permits consumers to obtain the greater of $1,000 per violation or actual damages, with statutory damages of $5,000 per reckless violation. Texas does not have a private right of action, but empowers the Attorney General to bring an enforcement action for up to $25,000 per violation.

Class actions have just begun to test the limits of the Illinois law, with several against prominent technology companies that allegedly violated the law for applying facial recognition to customer photos. One has been dismissed on procedural grounds, while another has survived a motion to dismiss.  While it is too early to know how the courts will ultimately rule, other companies’ practices may be tested under the law, or other laws that states enact.

Additional states have proposed laws and may soon follow, including California (including biometrics as personal information, and requiring implementation of security measures to protect information generally and in contracts with service providers with whom it will be shared) and Washington (similar to Texas and Illinois laws). These proposed laws are in addition to laws in Iowa, Nebraska, North Carolina, Oregon, Wisconsin, Wyoming, and New York City that have included biometric information as a type of personal information that triggers breach notification obligations.

What Do Regulators Want?

The FTC published guidance on privacy considerations for use of facial recognition technology, but not other biometric data. Among non-binding recommendations, the FTC suggests:

• “privacy by design” for facial recognition services;
• inclusion of data security controls and implementation of processes for data destruction;
• notice that “clearly” informs consumers about data practices and provides context appropriate choice, including regarding duration of storage, access rights, and right of deletion;
• “just in time” disclosures when storage or use of biometric data is not consistent with the context of the transaction; and
• express consent for use outside of purpose for which it was collected.

What to Do?

• Get consent: look at how biometric information is collected, make sure you are appropriately disclosing how the information will be used and how long it will be kept, and get informed consent to those practices.
• Update privacy policies: reexamine your privacy policy to verify that it is up to date and accurate with respect to biometric data practices to help reduce the risk that it will be deemed to be deceptive or inaccurate with respect to those practices.
• Verify data protection practices: examine whether existing administrative, technical, and physical security controls are sufficient to protect against unauthorized access to and acquisition of the biometric information that your company deals with.
• Limit retention: create processes to verify that the biometric data will not be retained for longer than disclosed or permitted, and evaluate whether any revisions are needed to existing data retention policies and procedures.
• Implement breach response plans: confirm that your company’s data breach response plan accounts for biometric data, and has appropriate procedures for responding to incidents that involve biometric data. Every minute counts when it comes to reducing the expense and liability associated with data breaches, and as laws are imposing notification obligations for breaches of biometric data, having a functioning plan to assist in your response is critical.
• Address privacy and security in vendor contracts: When using service providers and vendors that will deal with biometric data, or have access to systems with biometric data, include appropriate contractual terms, such as: to require the information be protected appropriately, deleted when required, and accounted for when data breaches occur.