Biometrics & Their Regulation - Part II

Biometrics & Their Regulation - Part II

by Jure Erlic, Fusion Center Intelligence Analyst

In the first part of this two-part series, I discussed the topic of biometric devices, how they are defined, the types of devices that exist, and their claimed potential advantages. Despite claims of enhanced security and streamlined costs compared to traditional systems, biometric devices are not without flaws. In addition to technical issues, such as false positives and false negatives, which remain an inherent issue when considering the adoption of such devices, a significant concern that adopters should also consider is their legality. Concerned citizens and privacy advocates raise legal objections to using such devices in the workplace.

The purpose of this article is to provide a brief overview of existing biometric privacy legislation by examining current efforts on three levels: federal, state, and city.?

Currently, no comprehensive federal statute exists that regulates the use of such devices. Senate Bill 4400, known as the National Biometric Information Privacy Act of 2020 (NBIPA), was an attempt. The bill, introduced by Senators Jeff Merkley and Bernie Sanders, would have utilized Illinois’ 2008 Biometric Information Privacy Act (BIPA) as its template, copying and expanding its provisions. The NBIPA would have placed limitations on what would constitute the legal use of a biometric device, implemented a mandatory “right to know” clause, and banned the use of biometric data for advertising purposes. Although the bill failed to gain traction in the Senate, if the current privacy movement in the United States continues to grow, future legislation may integrate specific NBIPA provisions.

The state legislatures have been the most proactive of the three levels in creating biometric data regulations. Some of these states opted to adopt broad biometric privacy laws which dictate the types of devices and companies that fall under the law, outline procedures for legal use, and establish sanctions for violations. On the other hand, other states have chosen to address biometric privacy in a more limited scope by amending existing privacy laws to include biometric data as protected data. Illinois, California, Texas, Washington, New York, Arkansas, Colorado, Maryland, and Virginia have passed laws or amendments related to biometric privacy. For this overview, we will examine the states of Illinois, California, Texas, Washington, and New York as they provide insight into how states approach the matter.

Illinois’s 2008 BIPA was the first law in the United States regulating data gathering from biometric devices. BIPA defined biometric information as data gathered from “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” To legally collect any of this data under BIPA, the collector must receive the written consent of the involved party. The law requires that the collector detail the type of information gathered and note that the collector will store the data on a database and explain the reason behind the data collection. Failure to carry out any of these requirements opens the collector to litigation, as aggrieved parties can pursue lawsuits against the company, even if no financial injury occurred.?

BIPA also establishes civil penalties for data breaches, as companies can be fined $1,000 US dollars (USD) to $5,000 per violation. The price of the fines varies based on whether the breach occurred due to negligence or intentional recklessness. Despite enactment in 2008, the law did not see actual use until 2015. A series of five significant lawsuits against Facebook, currently Meta and Shutterfly, brought BIPA into the national spotlight. Between 2008 and 2021, plaintiffs filed over 750 class action BIPA lawsuits against a multitude of companies, including Amazon, Google, TikTok, and Six Flags, Inc. Due to BIPA’s application clause, even companies not based in Illinois are subject to lawsuits, as long as they operate there.?

The 2020 California Consumer Privacy Act (CCPA) was an amendment of the state’s 2018 CCPA to include protections and restrictions related to biometric data. Unlike BIPA, CCPA took a more expansive approach in defining the data type that constituted biometric information. In addition to data inputs expressed in the BIPA, the CCPA described data gathered from vein patterns, voice recordings, keystroke rhythms, gait patterns, sleep, health, and exercise as biometric data.

Companies can gather such data for business purposes; however, they must notify individuals. CCPA gives individuals an expansion of consumer rights not seen in BIPA, such as the right to request the information and the right to request that the collector destroy the data. The law requires companies collecting such data to maintain reasonable security plans to store it. Unlike BIPA, CCPA severely limits the right to private action. Individuals can only pursue private litigation against a company if that company fails to prevent a data breach. Individuals can only recover between $100 to $750 in statutory damages per incident. Outside of this instance, only the state’s attorney general can pursue litigation, with companies facing maximum fines of around $2,500 per unintentional violation to $7,500 per intentional violation of the act.

The state of Texas passed its biometric privacy law in 2009. The Capture or Use of Biometric Identifier (CUBI) Act shares multiple features with BIPA. It requires companies to notify and receive consent from individuals to gather their biometric data, requires that the company destroy the data after a year or after terminating the employee, and prohibits the sale of the data. It similarly defines biometric data as eye scans, fingerprints, voiceprints, and hand or face geometry. The main difference between BIPA and CUBI is that CUBI removes the right to private action by aggrieved parties reserving litigation for the Texas attorney general, who can choose to pursue civil penalties of up to $25,000 per violation, with no maximum cap. This significantly narrows the scope of possible litigation as only the state’s attorney general could bring forth a case or sanction a company. For this reason, CUBI is not mentioned often in biometric privacy litigation.??

Washington state’s biometric privacy law is House Bill 1493 (HB 1493). It borrows its framework from the BIPA. It defines biometric data as “measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, retinas, irises, or other unique biological pattern or characteristics used to identify a specific individual.” The act notes that physical or digital photographs, videos, or audio recordings of an individual do not count as biometric data. The main difference between HB 1493 and BIPA is how it treats the collecting of biometric data and consent. Under HB 1493, entities can capture forms of biometric data without the consent of individuals; however, they are not allowed to transfer and store that data on a company database unless they notify an individual and receive their consent. The exception to this database enrollment clause is for “security purposes,” which allows companies to collect and store biometric data to enhance business security, i.e., deterring theft, identifying repeat offenders, etc. For example, under these conditions, companies can use biometric data to establish databases of identified shoplifters without receiving the party’s consent. If a company does enroll an individual without their permission for a non-security purpose, it can face sanctions. Like Texas, Washington’s HB 1493 only allows the state’s attorney general to pursue litigation against a violating company.

New York’s attempt to address biometric privacy protection could be somewhat limited to the five states. In 2019, New York amended its existing Stop Hacks and Improve Electronic Data Security (SHIELD) Act to include biometric data. This amendment allows companies to collect biometric data, such as iris or retina images, fingerprints, and voiceprints. It requires them to devise data security programs and a notification plan for data breaches. These security programs must consist of administrative, technical, and physical safeguards. If these safeguards fail, the law requires the company to inform New York state law enforcement and federal agencies of the breach.

If the breach affects over 5,000 New York residents, the company must notify consumer reporting agencies provided by the New York attorney general. Companies that fail to meet the state’s expectation of a reasonable security plan can face penalties of up to $5,000 per violation. If they fail to notify individuals of a data breach properly, the state can hold them liable for actual damages, in addition to civil penalties of $5,000 for failed notifications.?

In addition to these states’ initiatives, city councils create laws regulating biometric data gathering. Two examples of this are New York City and Portland, as both passed ordinances related to biometric privacy.

New York City’s biometric privacy regulation, Code 22-1201 – 1205, came into effect on July 9, 2021, and defines biometric data as “physiological or biological characteristics that [are] used by or on behalf of a commercial establishment to identify or assist in identifying an individual.” According to the bill, companies can gather biometric data from retina and iris scanners, fingerprints or voiceprints, hand or face geometry scans, and any other system that uses an individual’s unique characteristics. Companies collecting such data must place signage in the establishment that explains to customers that their biometric data is being collected, retained, converted, and stored. Failure to do so puts a company at risk of litigation as the ordinance allows for individuals to sue companies for failure to comply with the disclosure requirements. For a customer to pursue a lawsuit against a company, they must provide a written notice to the commercial establishment detailing the lack of clear signage. The establishment has 30 days to address the issue, and if they fail to do so, the customer can sue them to recover $500 per violation. Customers do not need to provide written notice if they claim that the business is selling or profiting from their biometric data. If found to be accurate, individuals can recover $500 per negligent violation to $5,000 per intentional or reckless violation. According to legal commentary, companies that use traditional CCTV systems that do not utilize software that analyzes individuals based on their physiological or biological characteristics would not trigger the law. However, commercial enterprises using techniques such as facial recognition software to identify customers and potential threats would need to place signage.

Unlike New York City, Portland’s city council adopted a more tailored approach when it passed two ordinances on September 9, 2020. These banned the use of facial recognition systems by public and private entities. The council’s rationale for the ban was due to the potential damages that could occur to minority communities due to the issue of false positives. Under these laws, public entities could only use facial recognition technologies for verification purposes on staff devices if the automatic face detection services were inherent to the social media platform, i.e., Facebook’s facial recognition software, and for editing footage to protect an individual’s privacy. It forbids private enterprises defined as open to the public, such as retail, food services, and recreation venues, from using such devices. It exempts private entities that operate commercial facilities, private clubs, private residences, or places of accommodation defined by their nature as distinctly confidential. The ban establishes a private right to an action for aggrieved parties, who can sue violators for damages, including statutory damages of up to $1,000 per day of violation.?

In conclusion, if a company seeks to incorporate biometric devices into its existing security program, it should do its due diligence beforehand. Not only should they evaluate each biometric system’s strengths and weaknesses, but they should also factor in the legal regulations surrounding them on the federal, state, and city levels. As seen by the selection of laws presented, states and cities have formulated various policies on how they expect private companies to handle biometric data. Analyzing both the pros and cons of each system and gaining an understanding of the legislation surrounding the use of the selected system serves to control the risks of financial penalties by minimizing the risk of litigation in an ever-changing legal environment.?

In August 2021, Jure Erlic joined the SIS Fusion Center as a Fusion Center Intelligence Analyst.? Intelligence Analysts frequently provide SIS employees with articles on security-related topics to keep everyone up to date and informed. Erlic's "Part One" on Biometrics can be read here.

Visit www.sis.us to learn more and to see our job openings.