Biometrics: A Fingerprint for Privacy Compliance, Part I

March.04.2016

In just the last week, the New York State DMV announced an upgrade to facial recognition software to catch identity thieves trying to obtain fraudulent driver’s licenses, and the Scottish Professional Football League was denied a request for funding for facial recognition at stadiums to track unacceptable conduct. Use of technology and services that leverage biometrics – unique physical or behavioral characteristics about a person – is increasing, and privacy laws are hot on their trail with U.S. states starting to consider and enact laws restricting how companies can collect and use biometrics information, restricting how long the information can be retained, and specifying how it must be protected. This post tells you the high points you need to know about U.S. biometrics privacy laws, and what to do to avoid being the next lawsuit target. In a second, forthcoming post, we will focus on the current (and future) state of EU law, where there are already stringent restrictions on the collection, use and transfer or biometric information.

Background

Biometrics include retina or iris scans, fingerprints, voiceprints, scans or records of hand or face geometry, or any other information based on such items that is used to identify an individual. So far, two states (Texas and Illinois) have laws that focus on biometrics privacy. Texas and Illinois require:

Notice and individual opt-in consent before obtaining biometric data. Illinois also requires a written notice of specific purpose, length of collection/use/storage, and a written release.
No commercial use (i.e., profit) even if the individual is a customer (Illinois only).
Retention limited and destruction required after purpose has expired, and in no event after three years in Illinois and one year in Texas. Illinois also requires a publicly available written policy regarding retention and destruction.
Limited disclosures, without consent unless pursuant to a requested financial transaction, applicable law, or in response to a warrant.
Entities must protect it using industry standard reasonable care, at least as much as entities protect other confidential and sensitive information they possesses.

Illinois permits consumers to obtain the greater of $1,000 per violation or actual damages, with statutory damages of $5,000 per reckless violation. Texas does not have a private right of action, but empowers the Attorney General to bring an enforcement action for up to $25,000 per violation.

Class actions have just begun to test the limits of the Illinois law, with several against prominent technology companies that allegedly violated the law for applying facial recognition to customer photos. One has been dismissed on procedural grounds, while another has survived a motion to dismiss. While it is too early to know how the courts will ultimately rule, other companies’ practices may be tested under the law, or other laws that states enact.

Additional states have proposed laws and may soon follow, including California (including biometrics as personal information, and requiring implementation of security measures to protect information generally and in contracts with service providers with whom it will be shared) and Washington (similar to Texas and Illinois laws). These proposed laws are in addition to laws in Iowa, Nebraska, North Carolina, Oregon, Wisconsin, Wyoming, and New York City that have included biometric information as a type of personal information that triggers breach notification obligations.

What Do Regulators Want?

The FTC published guidance on privacy considerations for use of facial recognition technology, but not other biometric data. Among non-binding recommendations, the FTC suggests:

“privacy by design” for facial recognition services;
inclusion of data security controls and implementation of processes for data destruction;
notice that “clearly” informs consumers about data practices and provides context appropriate choice, including regarding duration of storage, access rights, and right of deletion;
“just in time” disclosures when storage or use of biometric data is not consistent with the context of the transaction; and
express consent for use outside of purpose for which it was collected.

What to Do?

Get consent: look at how biometric information is collected, make sure you are appropriately disclosing how the information will be used and how long it will be kept, and get informed consent to those practices.
Update privacy policies: reexamine your privacy policy to verify that it is up to date and accurate with respect to biometric data practices to help reduce the risk that it will be deemed to be deceptive or inaccurate with respect to those practices.
Verify data protection practices: examine whether existing administrative, technical, and physical security controls are sufficient to protect against unauthorized access to and acquisition of the biometric information that your company deals with.
Limit retention: create processes to verify that the biometric data will not be retained for longer than disclosed or permitted, and evaluate whether any revisions are needed to existing data retention policies and procedures.
Implement breach response plans: confirm that your company’s data breach response plan accounts for biometric data, and has appropriate procedures for responding to incidents that involve biometric data. Every minute counts when it comes to reducing the expense and liability associated with data breaches, and as laws are imposing notification obligations for breaches of biometric data, having a functioning plan to assist in your response is critical.
Address privacy and security in vendor contracts: When using service providers and vendors that will deal with biometric data, or have access to systems with biometric data, include appropriate contractual terms, such as: to require the information be protected appropriately, deleted when required, and accounted for when data breaches occur.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

Data is igniting a global, technological revolution. Increased collection, use, storage, and transfer of data has shifted the paradigm of innovation – and created a global security problem. Fortune 500 companies with large quantities of data, cities with vulnerable infrastructure, and every institution in-between must manage that risk, without encumbering progress or technological advancement. To do so, they turn to Aravind Swaminathan. Aravind is ranked by Chambers USA in the categories of both Privacy and Data Security: Litigation (Band 2) and Privacy and Data Security: Incident Responses, as well as Chambers Global, which described him as "formidable in assisting clients with both the noncontentious and litigious elements of cyber-attacks and security breaches, including resulting class actions." Clients endorse Aravind, telling Chambers, that he is "very substantively knowledgeable" and has "knowledge gained from prosecuting hackers, meaning he fundamentally understands what they do."

As a strategic cybersecurity advisor, Aravind partners with clients to proactively plan for a crisis and develop strategies to improve resiliency, respond efficiently and effectively, protect their business and brand, and defend them in the onslaught of litigation and enforcement actions that follow. He guides organizations from large public company financial institutions to start-up technology companies to critical infrastructure providers through incidents, and develops business and brand-centric strategies to mitigate and manage risk. He has directed more than 200 cybersecurity incident and data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications.

With extensive trial, litigation and appellate experience, he defends his clients in cyber, privacy, and payments-related class actions and other civil litigation (particularly Computer Fraud and Abuse Act matters), and when these issues lead to regulatory investigations by the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), the Federal Trade Commission (FTC), and State Attorneys General.

Aravind’s background as an assistant United States attorney and Computer Hacking and Intellectual Property Section attorney gives him first-hand understanding of federal agencies that allows him to swiftly navigate the system, partner with investigators and find creative solutions for his clients. As a federal cybercrime prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases, including hacking, phishing, trade secrets theft, click fraud, cyber threats, and identity theft. Aravind also led the cybercrime outreach program, where he worked with members of the Department of Justice, state and federal regulators, law enforcement and other organizations on cybersecurity and related privacy issues. During his time as federal prosecutor in the Complex Crimes Unit, he also investigated and prosecuted a wide array of white-collar crimes, including investment schemes, corporate fraud and embezzlement, securities fraud, tax evasion and the nation’s largest bank failure.