With the increase in biometric lawsuits, what regulations can protect our privacy?


By Rob Shavell, Co-Founder and CEO of Abine / Delete me

Biometric chases are happening everywhere. From fast food chains and pork producers to logistics companies and tech giants like Google, countless companies are currently facing lawsuits over how they collect, store and use customer biometric information. and employees. In January 2021 alone, plaintiffs filed up to 55 lawsuits. However, while the public interest in the privacy of biometric data is undoubtedly increasing, the current wave of biometric lawsuits also highlights a worrying fact: current legislation does not protect consumers’ biometric information.

Biometric data becomes a “normal” part of authentication

Whereas it was once a novelty, biometric authentication no longer surprises us. Hundreds of millions of people now use biometrics on a daily basis to unlock their devices or log into their workplace without worrying about technology. However, as our acceptance of biometric scanning grows, tech companies are finding new uses for the technology behind it and dramatically increasing the potential for abuse.

Amazon’s “Amazon One” provides a relevant example. Introduced in Amazon Go stores last year, Amazon One is a biometric palmprint scanner that allows people to pay for items using their palm prints.

In what can be a significant negative development for individual privacy, this technology allows Amazon to link customers’ biometrics to their accounts. Ultimately, this new mine of data will inevitably allow Amazon to further personalize its offers. Technology policy analyst Frederike Kaltheuner agrees with this point, describing Amazon One as a method for the tech giant to “fill in the gaps in its data empire” rather than the customer benefit it claims to be. .

Amazon isn’t the only company to collect biometric information from customers. Earlier this year, TikTok updated its privacy policy to inform its users that it will now collect their “voice prints” and “facial prints”. Disturbingly, there is no mention of what either term means or what the company will do with the biometric information it collects. And even though TikTok says that, “where required by law,” it will seek user consent before collecting this information, the question we need to ask ourselves is, what law?

The current legal landscape

In the face of the growing threat of biometric data abuse to customers, there is currently no comprehensive federal law governing the collection and use of biometric data in the United States. However, that doesn’t mean federal lawmakers aren’t interested in adopting one.

Introduced last year, the National Biometric Information Privacy Act of 2020 (NBIPA) aims to regulate the collection, disclosure, retention and destruction of biometric data. If passed, the law would require private companies to obtain consent from individuals before collecting their biometric data, such as eye scans, facial prints, voice scans and fingerprints. Importantly, the law would also allow a private right of action.

The proposed NBIPA closely mirrors the Illinois Biometric Information Privacy Act (BIPA). Passed in 2008, BIPA is still one of the strongest privacy laws in the country and has facilitated countless privacy lawsuits. Under this law, people are allowed to follow an individual course of action even if they have not suffered direct harm or harm from a company violating BIPA requirements. If it hadn’t been for BIPA, Facebook’s face photo tagging feature would never have been in question. Cited against Facebook, BIPA led directly to a $ 650 million class action settlement and, in the words of U.S. District Court Judge James Donato, a “major victory for consumers in the hotly contested privacy arena.” digital ”.

Since the enactment of BIPA, other states, including California, Texas, Washington, New York, and Arkansas, have passed their own biometrics laws. Unfortunately, most are too lenient and the majority do not allow individuals to exercise a private right of action. For example, the New York City Biometric Identifier Information Act allows businesses to collect, use, and retain customer biometric data as long as it is notified in “plain language.” A number of similar efforts across the United States have derailed thanks to aggressive lobbying by tech companies.

But even BIPA, while a good start, may soon be insufficient to protect consumers. Biometrics is too broad and rapidly evolving a category for such a specific piece of legislation to comprehensively cover. In this regard, the CCPA, which has a broader definition of what constitutes “biometric data”, may in fact offer more protection to consumers than the BIPA, which has a much narrower definition.

All law needs broad coverage and a private right of action

Currently, only a handful of states have biometric legislation in place, and each law differs significantly in how it defines “biometric information” as well as in how entities can collect, use and store. those data. It’s important to note that only two states (Illinois and California) allow individuals to confront biometric data abusers without the attorney general taking action on their behalf.

In the future, we need more states to pass biometric laws that allow people to exercise a private right of action. And, with biometrics evolving at a breakneck pace, we also need these laws to contain relatively broad definitions of what “biometric data” is. Overly narrow biometric laws risk becoming obsolete and can end up giving tech companies loopholes to collect and potentially misuse user biometric data.

The NBIPA is a prime example of what any federal or local law should look like. First, it provides for a private right of action. Equally critical, however, and unlike BIPA, it also defines biometric information more broadly. Under the NBIPA, a “biometric identifier” can be a retinal or iris scan, a facial print, a voice print, a finger / palm print and, significantly, “any other identifying information. unique based on the characteristics of an individual’s gait or some other unchanging characteristic of an individual. “In this way, NBIPA includes the possibility of additional identifying characteristics.

Even if the NBIPA does not become law, it should become the model for states seeking to protect their citizens from the misuse of biometric identification by private companies. As for any other federal privacy legislation that may be proposed in the future, it must be based on the stipulations of the AANIB, not set aside.

About the Author

Rob Shavell is CEO of Abine / Delete me, The online privacy company. Rob has been cited as a privacy expert in The Wall Street Journal, The New York Times, The Telegraph, NPR, ABC, NBC and Fox. Rob is a strong supporter of privacy law reform, including the California Privacy Rights Act (CPRA).

DISCLAIMER: Biometric Update Industry Information is submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect those of Biometric Update.

Articles topics

Abine | biometric data | biometrics | BIPA | CCPA | data collection | data protection | lawsuits | legislation | NBIPA | confidentiality | regulation


Leave A Reply