Biometric Regulations in the U.S. States: The State of Play

Identity authentication is an inescapable portion in our daily lives. With the rise of the internet and connectivity, people have to have their digital counterpart, i.e. an online identity that represents them over the internet. Most services used in everyday life have gone online and require users to create separate identity for each service. Users end up creating many online identities, which are traditionally protected by a password. It either results in a lot of passwords to remember that deteriorates the user experience or same passwords is used for each service, which is a highly insecure practice. To overcome these and many other problems with traditional methods of identity authentication, technology experts are looking at biometrics to mitigate risks associated with traditional methods.

Leveraging biometrics for user identification and authentication improves security and convenience, however, it also raises concerns regarding the collection and use of biometric data by service providers. Legal framework for the collection and use of biometric data is still in its infancy in the United States. Let’s have a look at state of play of biometric regulations in the US states.

Biometrics is the technique of recognizing people with their unique behavioral or physiological patterns like fingerprints, iris pattern, voice, gait, etc. These characteristics are unique to an individual and do not change with age. It offers an opportunity of personal identification using these characteristics and the technology to achieve this is called biometrics or biometric technology. Biometrics has gained popularity in recent years due to its speed and accuracy. Biometrics is being used for small as well as large scale user identification and authentication application and more than ever biometric data is being collected.

Despite the success of biometrics technology, a lot of people are anxious about it. Having its roots in law enforcement and forensics, people often go suspicious when they are asked to scan their fingerprints or eyes. Their suspicion, however, is not unfounded. Unlike most other methods of user authentication (e.g. PINs, passwords, tokens, ID cards, etc.), biometric identifiers of an individual cannot be changed if compromised. Privacy advocates often express concerns regarding collection and use of biometric data. Collection of fingerprints was once limited to criminals and terrorists, but now with commercial applications, businesses are increasingly collecting fingerprints and other biometric data of users. Law enforcement agencies, on the other hand, are also collecting fingerprints and other biometrics of criminal as well as civil subjects. Schools are collecting biometric data of students in a very young age. All this has raised concerns about security and use of this data.

Collection and storage of biometric data is a sensitive subject because of unalterable nature of biometric identifiers. Any breach in the information systems that store biometric information, can lead to serious consequences and users may lose their biometric identity permanently.

Despite being world’s second largest democracy and the largest economy, United States still has a lot to do in terms legalizing information privacy. There is no all-encompassing law that protects user privacy and regulates collection and usage or personal information by the private or the government organizations. In most states, laws specific to biometric data are yet to be implemented and biometric data is regulated by existing privacy laws, which are highly inadequate to protect it. In those states, government, private and commercial outfits can collect biometric information and can use it as per their privacy policy unless it is not directly regulated with specific federal or state laws like Privacy Act of 1974, HIPPA, FCRA, GLBA, FERPA, etc.

In the United States, privacy laws face opposition during implementation by large corporations and fail to enact. For example, The California Right to Know Act bill faced heavy opposition from tech giants like Microsoft, Google and Facebook, and failed to enact.

Criticality of biometric data and inadequacies of current information privacy acts paved the way to laws specifically intended for privacy and security of biometric data. BIPA or Biometric Information Privacy Act is the act encoded to ensure privacy and security of users’ biometric identifiers. Big corporations collect enormous amount of user information that can be used to personally identity them. Present day rampant collection of personal information is enough to give us a hint about the fate of biometric data if it is not regulated by a legal framework beforehand. BIPA imposes strict notice and consent requirements on organizations before they may collect, capture, purchase, receive through trade, or otherwise obtain biometric data. An informed consent is required before the collection and storage of a user’s biometric data as well as the purpose and length of time that data will be stored and used.

Illinois became the first state to enact BIPA (Biometric Information Privacy Law) in 2008. It was a historic moment that made privacy advocates cheer and business outfits worry. Since then, businesses which rely on the collection of biometric data, have been lobbying to make these laws less intense in other states where it is yet to be implemented.

Illinois version of BIPA (740 ILCS 14/1 or BIPA) requires businesses and organizations to establish a policy and make it publically available for collection, storage and destruction of biometric data. Users should be served with a notice before the collection of their biometric identifiers with its purpose and duration of such collection. The statute requires consent prior to the collection of biometric data and prohibit from selling or making profit from it. The law defines “biometric identifier” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color or certain other items.

Texas has also codified the law to capture and use biometric identifiers (Tex. Bus. & Com. Code Ann. §503.001) in 2009, which states that a person’s biometric identifiers cannot be captured without receiving an informed consent. Biometric identifiers cannot be sold or disclosed to other parties unless certain conditions are met as detailed in the law. The law also mandates biometric data to be stored, transmitted and protected from disclosure using reasonable care. It also requires disposal of biometric data within a reasonable time. Same goes with employers, if biometric identifiers are collected for security purposes by an employer, it should be retained no longer than the termination of employment relationship. Unlike Illinois BIPA, Texas version of the law does not give private right to sue violators of the law.

The Governor of the Washington State signed into law House Bill 1493 (“H.B. 1493”) on May 16, 2017, which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The legislation puts both notice and consent requirements in place like Illinois and Texas versions of BIPA. The Washington BIPA also lacks “private right to action” upon violation of the law. While HB1493 incorporates the “reasonable care” standards of both Illinois’ HB2411 and Texas’ §503.001, it goes a step further with the added order that entities must protect against or prevent actual fraud, criminal activity, claims, and the like. While privacy attorneys call it a weaker law than its Illinois counterpart, corporate advocates suggest that Washington’s BIPA is more realistic and will protect both consumers as well as innovations.

Biometric information privacy bill in California, Alaska, Idaho, New Hampshire, and Montana failed to enact. The bill included private right to action upon violation of the law in these states. Private right to action is the part that concerns corporations and they go lobbying against the execution of the bill. The biometric privacy bills suffered the same fate in Connecticut, Massachusetts, and New York. The bill in these states, however, did not include private right to sue, it failed to enact anyway. Technology firms have already expressed their concerns regarding notice and consent requirements being “too broad” which would hinder innovations. Incorporating a notice and consent interface may not always be possible in complex technological environment.

Despite the widespread adoption of biometric applications and biometric data piling up with commercial outfits, legislative mechanism is failing to match the speed of adoption. Tech firms are lobbying for less intense biometric regulations that do not hurt their business. Their efforts are either delaying it or making the biometric regulation bills weaker. Except Illinois, neither the Washington Biometric Privacy Act (HB1493), nor the Texas Biometric Identifier Statute (Bus. & Com. §503.001) provide consumers with a private right of action to sue for alleged violations, which explains the lack of similar class actions in those states. Except these three jurisdictions, biometric data of millions of consumers stay vulnerable and they cannot do anything about it. Failed attempts of enacting biometric information privacy bills in several states also exhibit government’s inability in protecting user privacy.