Protecting our Fingerprints and Retinas: A Call for Biometric Data Privacy Legislation

By: Mona Ibadi

Biometric Data

Covid-19 triggered a new normal that forced us into a virtual nation – one where we must rely on virtual mediums to connect with others. The ability of Americans to move online at such a rapid pace demonstrates the adaptability of our society. However, reliance on computers and technology raises several privacy and security concerns that need to be addressed. This begs the question: Is American legislation as adaptable to the new age of remote work as its people?

Currently, an estimated 42% of the workforce is working from home. Many predict that remote work may become the norm, even after a vaccine is released. In fact, twenty-seven companies have already switched to long-term remote work. This newfound reliance on computer technology raises cybersecurity concerns, specifically biometric data concerns. Companies, including Facebook, Microsoft, and Six Flags, are increasingly using biometric data tools for business. Biometric technology functions to identify an individual using a unique piece of biological information, such as a fingerprint or retina scan. Ordinary citizens blindly provide businesses with valuable personal data every day without realizing that they have given the rights to their data to a new owner. Something as simple and common as unlocking your phone with a fingerprint scan or facial recognition utilizes biometric data information. While biometric technologies are highly beneficial and efficient tools, the accumulation of such data in the hands of businesses casts doubt about the security of our biological privacy.

There is currently no federal law that restricts the use of biometric data by businesses. Moreover, there are only a minority of states that developed legislation to counterbalance increased data privacy concerns. Illinois, through the Biometric Information Privacy Law (“BIPA”), was the first to implement a biometric security law and serves as a leader for biometric privacy legislation. Other states that have followed suit and implemented biometrics legislation include Texas and Washington, with New York and California following close behind.

A potential federal biometric privacy law should direct companies that utilize biometric data to (1) notify the owner of the data when biometric technology is deployed; (2) publish its privacy policies; (3) identify the type of biometric data utilized; (4) specify the purpose of the collection; (5) maintain accuracy and completeness of the data; (6) limit access to biometric data within the company; (7) apply sufficient cybersecurity practices; (8) utilize audit logs pursuant to the federal law; and (9) communicate clear redress options and procedures.

The BIPA serves as a model for biometric privacy law. It states “[n]o private entity may collect, capture, purchase, [or] receive . . . a customer’s . . . biometric information, unless it” informs the subject that information is being collected, states the duration of such collection, and receives a written release from the subject. Additionally, the private entity cannot sell or disclose any biometric information without consent and must use reasonable care when storing it. The Illinois Legislature’s intent behind formulating this act included public wariness in biometric data (particularly when used with financial information) and limited knowledge about the full ramifications of biometric data.

Given these concerns and our increased reliance on technology, which has been exacerbated by Covid-19, why isn’t there federal protection of our biometric data? The National Biometric Information Privacy Act of 2020 was introduced in Congress back in August of this year and received preliminary considerations in the Senate before being referred to the Committee on the Judiciary. This piece of legislation seeks to impose limits on the collection, retention, disclosure, and destruction of biometric data. Other bills under consideration in Congress concerning biometric privacy include protection from government biometric surveillance, and the prohibition of facial recognition technology with certain federally-assisted rental dwelling units.

However, we know the legislative process takes years and such protections may ultimately be rejected during any stage of the process. In the meantime, numerous entities are amassing biometric information, necessary for the efficiency of everyday life, but with little to no restrictions on the storage and use of such private information. It is currently legal in forty-five states for companies to employ software to identify individuals using photographs taken without consent. For example, shops can use facial recognition software to detect pre-identified shoplifters or customers who return items too often without individuals providing any information. Additionally, some companies are free to sell your biometric information for marketing purposes or extend access to it to “strategic partners” based on the discretionary privacy policies of a given company. Many entities and individuals specifically seek out biometric data as a target for massive hacks, subjecting your biological data to even more security concerns. For every company we give our biometric data to, we blindly trust that company to adopt and abide by security best practices to protect valuable information from data breaches.

Unlike passwords and social security numbers, which can be changed in the event of a data breach, your biometrics are static and unique to your identity. Therefore, extra security on your own behalf secures your vulnerable data in a way that the federal government cannot. The public, in securing this vulnerable data, should avoid using biometrics as a main form of identifier without a multifactor authentication in place; inquire into a company’s security practices when biometric data is requested; or simply abstain from sharing biometrics from the outset.

Even in a society where the proliferation of social media has caused a significant increase in the amount of personal data shared online, boundaries are still important. Although there is no national protection for our valuable information, our own awareness into the intricacies and vastness of biometric data collection may save us from exposure in the future, and may even spur significant action within our federal government.

Mona is a second-year law student at Wake Forest University School of Law. She holds a Bachelor of Arts degree in Political Science from Drew University. Upon graduation, she intends to practice transactional law in the realm of privacy and corporate law.