Biometric information will lead to millions of privacy lawsuits


By 2025, privacy lawsuits and claims related to the processing of biometric information and cyber-physical systems will have resulted in more than $8 billion in fines and settlements, according to Gartner.

Bart Willemsen, research vice president at Gartner, says, “Autonomous vehicles, drones that capture video, smart buildings, and smart cities are cyber-physical systems that capture all kinds of biometric data.

“The collection and storage of biometric information is growing in popularity, whether in the form of fingerprints, iris scans, remote recognition of face, gait, voice or even DNA samples. But this information has enormous potential for misuse or abuse.”

Willemsen says the new privacy laws cover the capture, conversion, storage and processing of biometric data, and may even apply to face tagging technology in social media.

They may also include a retention regime and may prohibit the sale, rental, trade or profit of biometric data. Some completely prohibit the use of biometric information in certain use cases.

Willemsen says, “In such cases, it is important that security and risk managers and privacy officers consider alternative and less invasive means to achieve the intended goals, explaining any the information necessary for the customer without any warning”.

Some multinational consumer-facing organizations are actively moving towards a self-service model through privacy portals and intake forms. Their intention is not just to avoid regulatory fines, but also to build customer trust and maintain a positive sentiment towards the brand.

Gartner predicts that by 2024, the average annual budget of large organizations for privacy will exceed $2.5 million, enabling the shift from compliance ethics to competitive differentiation.

Privacy budgets have grown from $1.7 million in 2019 to $2 million in 2021 and are expected to continue growing at a steady rate, analysts say.

The sudden rise in online activity, remote work and virtual learning has increased cyber threats. With privacy regulatory efforts expanding in dozens of jurisdictions over the next two years, many organizations will only see the need to begin their privacy program efforts now.

Gartner recommends that organizations first gain full and detailed control over all personal data processing activities before they can transfer that control to the individual. One way to do this is to use privacy rights and consent management services, Gartner says.

Willemsen says, “The customer will see the difference between having to wait weeks for an incomplete response or having full access to the answer to the question ‘what data does an organization process about me within seconds?’ This difference is where trust is won or lost.

Depending on the maturity of their privacy programs, organizations move beyond compliance-focused work to customer-centric activities, Gartner finds.

For example, enabling customer experience professionals to address customer complaints about lack of transparency and privacy UX automation, or providing access to privacy rights to all global customers, whether they whether obliged to do so or not, by treating customers fairly on an international scale.


Comments are closed.