In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected. This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target. In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.
Biometrics include retina or iris scans, fingerprints, voiceprints, scans or records of hand or face geometry, or any other information based on such items that is used to identify an individual. So far, two states (Texas and Illinois) have laws that focus on biometrics privacy. Texas and Illinois require:
Illinois permits consumers to obtain the greater of $1,000 per violation or actual damages, with statutory damages of $5,000 per reckless violation. Texas does not have a private right of action, but empowers the Attorney General to bring an enforcement action for up to $25,000 per violation.
What to Do?