As the use of biometrics grows across a range of industries, so do concerns over how this information will be used (or misused) and possible effects on personal privacy. To ensure that the parties collecting and managing this data are also protecting and using it properly, some states have implemented laws governing the gathering and use of biometric information.
Illinois became the first state to regulate the collection of biometric information in 2008. Washington and Texas have since passed similar laws. Illinois’ Biometric Information Privacy Act is still the strictest regulation and is the only one that allows individuals to sue for damages stemming from a violation. It prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Companies must also tell people how their biometric data will be used and how they’ll keep it. The law’s damages provision has spawned many class-action lawsuits, not all of which were considered legitimate.
Companies are keeping an eye on what’s happening in Illinois because it could have implications for how they handle biometric data in the future. For example, in late January the Illinois Supreme Court ruled that a teen could sue Six Flags for violating the Illinois Biometric Information Privacy Act. According to the Chicago Tribune, the teen bought a season pass to Six Flags Great America in 2004 and had his fingerprint data collected without consent. The case overturned a previous ruling that had found in favor of Six Flags.
The Texas and Washington laws are not as stringent as the Illinois law. The Texas Biometric Privacy Act, passed in 2009, does not require written consent. Washington’s law, passed in 2017, defines “biometric identifier” differently from the other two laws. Other states are reportedly considering legislation as well, including California, Alaska, Montana and New York.
Biometric data can’t be changed, making legislation that protects it necessary, said supporters of the law. Some counter that regulation will hinder the marketplace and restrict the adoption of biometric technology. Companies that operate in Illinois have already changed the type of services or the type of biometric data they collect as a result of the state’s biometric law. For example, Google’s parent company Alphabet owns Nest, a camera doorbell that can recognize faces. However, Nest does not offer that feature in Illinois because of the law, according to Recode.
The question is how to balance consumer protection and privacy concerns. Perhaps looking at how other countries are dealing with this issue can shed some light. The E.U., which recently adopted the strict General Data Protection Regulation, defines biometric data as “special categories of personal data” and prohibits its “processing.” In other words, it protects people from having their information shared with third parties without their consent. However, it does contain some exceptions, such as if a person gave consent. In that way it conceivably gives consumers more control.
There has been some talk of the U.S. government passing legislation governing the collection and use of biometrics or, more broadly, digital privacy, instead of waiting for states to enact laws. The trick is to pass laws that protect consumers (who deserve to have their biometrics protected) as well as allow biometric technology industry to flourish.