• Home
  • About
  • My Account
  • Blog
  • Success Stories
  • Contact
Bayometric Bayometric Bayometric Bayometric
  • Live Scan
    • Print to FD-258 Card – Background Check
    • SWFT Applicant System
    • FBI Fingerprinting – Live Scan
    • NFA Fingerprinting – Live Scan
    • FINRA EFS
    • FDLE Live Scan
    • Fingerprint Background Check
    • SWFT+ Compatible Devices
  • Fingerprint SDK
    • Touch N Go
    • Griaule Fingerprint SDK
  • Single Sign-On
  • Fingerprint Scanner
    • USB Scanners
      • SecuGen Hamster Pro
      • SecuGen Hamster Plus (HSDU03P)
      • Nitgen Fingkey Hamster DX
      • Lumidigm M301 (M30x)
      • Lumidigm M311 (M31x)
      • Lumidigm V302 (V30x)
      • Lumidigm V311 (V31x)
      • Nitgen Fingkey Hamster II
      • Nitgen Fingkey Hamster III
      • Verifi P5100
      • IB Curve
    • FBI Certified Readers
      • SecuGen Hamster Pro 10
      • SecuGen Hamster Pro 20 (HU20)
      • SecuGen Hamster IV (HSDU04P)
      • Unity 20 Bluetooth
      • Integrated Biometrics Watson Mini
      • Integrated Biometrics Columbo
      • Suprema BioMini Plus 2
      • Suprema RealScan-G1
      • Suprema BioMini Slim 2
      • Suprema BioMini Slim 2S
    • Ten Print Scanners
      • Integrated Biometrics Kojak
      • Suprema RealScan G10
      • Integrated Biometrics FIVE-0
    • Dual / Two Print Scanners
      • Suprema RealScan-D
      • Integrated Biometrics Sherlock
      • Integrated Biometrics Watson Mini
      • Nitgen eNBioScan-D Plus
    • Scanners + Card Readers
      • SecuGen iD-Serial
      • SecuGen iD-USB SC/PIV
      • SecuGen ID USB SC
      • Hamster Pro Duo CL
      • Hamster Pro Duo SC/PIV
      • Suprema BioMini Combo
    • OEM Modules
      • SecuGen SDU03P
      • SecuGen SDU04P
      • Lumidigm M300 (M30x)
      • Lumidigm M310 (M31x)
      • Lumidigm V300 (V30x)
      • Lumidigm V310 (V31x)
  • NFA Fingerprinting
Bayometric Bayometric
  • Live Scan
    • Print to FD-258 Card – Background Check
    • SWFT Applicant System
    • FBI Fingerprinting – Live Scan
    • NFA Fingerprinting – Live Scan
    • FINRA EFS
    • FDLE Live Scan
    • Fingerprint Background Check
    • SWFT+ Compatible Devices
  • Fingerprint SDK
    • Touch N Go
    • Griaule Fingerprint SDK
  • Single Sign-On
  • Fingerprint Scanner
    • USB Scanners
      • SecuGen Hamster Pro
      • SecuGen Hamster Plus (HSDU03P)
      • Nitgen Fingkey Hamster DX
      • Lumidigm M301 (M30x)
      • Lumidigm M311 (M31x)
      • Lumidigm V302 (V30x)
      • Lumidigm V311 (V31x)
      • Nitgen Fingkey Hamster II
      • Nitgen Fingkey Hamster III
      • Verifi P5100
      • IB Curve
    • FBI Certified Readers
      • SecuGen Hamster Pro 10
      • SecuGen Hamster Pro 20 (HU20)
      • SecuGen Hamster IV (HSDU04P)
      • Unity 20 Bluetooth
      • Integrated Biometrics Watson Mini
      • Integrated Biometrics Columbo
      • Suprema BioMini Plus 2
      • Suprema RealScan-G1
      • Suprema BioMini Slim 2
      • Suprema BioMini Slim 2S
    • Ten Print Scanners
      • Integrated Biometrics Kojak
      • Suprema RealScan G10
      • Integrated Biometrics FIVE-0
    • Dual / Two Print Scanners
      • Suprema RealScan-D
      • Integrated Biometrics Sherlock
      • Integrated Biometrics Watson Mini
      • Nitgen eNBioScan-D Plus
    • Scanners + Card Readers
      • SecuGen iD-Serial
      • SecuGen iD-USB SC/PIV
      • SecuGen ID USB SC
      • Hamster Pro Duo CL
      • Hamster Pro Duo SC/PIV
      • Suprema BioMini Combo
    • OEM Modules
      • SecuGen SDU03P
      • SecuGen SDU04P
      • Lumidigm M300 (M30x)
      • Lumidigm M310 (M31x)
      • Lumidigm V300 (V30x)
      • Lumidigm V310 (V31x)
  • NFA Fingerprinting
Oct 02

Biometric Regulations in the U.S. States: The State of Play

  • Danny Thakkar
  • Biometric Data Security, Privacy

Identity authentication is an inescapable portion in our daily lives. With the rise of the internet and connectivity, people have to have their digital counterpart, i.e. an online identity that represents them over the internet. Most services used in everyday life have gone online and require users to create separate identity for each service. Users end up creating many online identities, which are traditionally protected by a password. It either results in a lot of passwords to remember that deteriorates the user experience or same passwords is used for each service, which is a highly insecure practice. To overcome these and many other problems with traditional methods of identity authentication, technology experts are looking at biometrics to mitigate risks associated with traditional methods.

Leveraging biometrics for user identification and authentication improves security and convenience, however, it also raises concerns regarding the collection and use of biometric data by service providers. Legal framework for the collection and use of biometric data is still in its infancy in the United States. Let’s have a look at state of play of biometric regulations in the US states.

Rise of biometrics and concerns of user privacy

Biometrics is the technique of recognizing people with their unique behavioral or physiological patterns like fingerprints, iris pattern, voice, gait, etc. These characteristics are unique to an individual and do not change with age. It offers an opportunity of personal identification using these characteristics and the technology to achieve this is called biometrics or biometric technology. Biometrics has gained popularity in recent years due to its speed and accuracy. Biometrics is being used for small as well as large scale user identification and authentication application and more than ever biometric data is being collected.

Despite the success of biometrics technology, a lot of people are anxious about it. Having its roots in law enforcement and forensics, people often go suspicious when they are asked to scan their fingerprints or eyes. Their suspicion, however, is not unfounded. Unlike most other methods of user authentication (e.g. PINs, passwords, tokens, ID cards, etc.), biometric identifiers of an individual cannot be changed if compromised. Privacy advocates often express concerns regarding collection and use of biometric data. Collection of fingerprints was once limited to criminals and terrorists, but now with commercial applications, businesses are increasingly collecting fingerprints and other biometric data of users. Law enforcement agencies, on the other hand, are also collecting fingerprints and other biometrics of criminal as well as civil subjects. Schools are collecting biometric data of students in a very young age. All this has raised concerns about security and use of this data.

Collection and storage of biometric data is a sensitive subject because of unalterable nature of biometric identifiers. Any breach in the information systems that store biometric information, can lead to serious consequences and users may lose their biometric identity permanently.

Information privacy acts and BIPA

Despite being world’s second largest democracy and the largest economy, United States still has a lot to do in terms legalizing information privacy. There is no all-encompassing law that protects user privacy and regulates collection and usage or personal information by the private or the government organizations. In most states, laws specific to biometric data are yet to be implemented and biometric data is regulated by existing privacy laws, which are highly inadequate to protect it. In those states, government, private and commercial outfits can collect biometric information and can use it as per their privacy policy unless it is not directly regulated with specific federal or state laws like Privacy Act of 1974, HIPPA, FCRA, GLBA, FERPA, etc.

In the United States, privacy laws face opposition during implementation by large corporations and fail to enact. For example, The California Right to Know Act bill faced heavy opposition from tech giants like Microsoft, Google and Facebook, and failed to enact.

Criticality of biometric data and inadequacies of current information privacy acts paved the way to laws specifically intended for privacy and security of biometric data. BIPA or Biometric Information Privacy Act is the act encoded to ensure privacy and security of users’ biometric identifiers. Big corporations collect enormous amount of user information that can be used to personally identity them. Present day rampant collection of personal information is enough to give us a hint about the fate of biometric data if it is not regulated by a legal framework beforehand. BIPA imposes strict notice and consent requirements on organizations before they may collect, capture, purchase, receive through trade, or otherwise obtain biometric data. An informed consent is required before the collection and storage of a user’s biometric data as well as the purpose and length of time that data will be stored and used.

State by state biometric regulations

Illinois became the first state to enact BIPA (Biometric Information Privacy Law) in 2008. It was a historic moment that made privacy advocates cheer and business outfits worry. Since then, businesses which rely on the collection of biometric data, have been lobbying to make these laws less intense in other states where it is yet to be implemented.

state by state biometric regulationsImage: Attempts to enact biometric information privacy bill have failed except three states: Illinois, Texas and Washington.

Illinois

Illinois version of BIPA (740 ILCS 14/1 or BIPA) requires businesses and organizations to establish a policy and make it publically available for collection, storage and destruction of biometric data. Users should be served with a notice before the collection of their biometric identifiers with its purpose and duration of such collection. The statute requires consent prior to the collection of biometric data and prohibit from selling or making profit from it. The law defines “biometric identifier” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color or certain other items.

Texas

Texas has also codified the law to capture and use biometric identifiers (Tex. Bus. & Com. Code Ann. §503.001) in 2009, which states that a person’s biometric identifiers cannot be captured without receiving an informed consent. Biometric identifiers cannot be sold or disclosed to other parties unless certain conditions are met as detailed in the law. The law also mandates biometric data to be stored, transmitted and protected from disclosure using reasonable care. It also requires disposal of biometric data within a reasonable time. Same goes with employers, if biometric identifiers are collected for security purposes by an employer, it should be retained no longer than the termination of employment relationship. Unlike Illinois BIPA, Texas version of the law does not give private right to sue violators of the law.

Washington

The Governor of the Washington State signed into law House Bill 1493 (“H.B. 1493”) on May 16, 2017, which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. The legislation puts both notice and consent requirements in place like Illinois and Texas versions of BIPA. The Washington BIPA also lacks “private right to action” upon violation of the law. While HB1493 incorporates the “reasonable care” standards of both Illinois’ HB2411 and Texas’ §503.001, it goes a step further with the added order that entities must protect against or prevent actual fraud, criminal activity, claims, and the like. While privacy attorneys call it a weaker law than its Illinois counterpart, corporate advocates suggest that Washington’s BIPA is more realistic and will protect both consumers as well as innovations.

Other states

Biometric information privacy bill in California, Alaska, Idaho, New Hampshire, and Montana failed to enact. The bill included private right to action upon violation of the law in these states. Private right to action is the part that concerns corporations and they go lobbying against the execution of the bill. The biometric privacy bills suffered the same fate in Connecticut, Massachusetts, and New York. The bill in these states, however, did not include private right to sue, it failed to enact anyway. Technology firms have already expressed their concerns regarding notice and consent requirements being “too broad” which would hinder innovations. Incorporating a notice and consent interface may not always be possible in complex technological environment.

Conclusion

Despite the widespread adoption of biometric applications and biometric data piling up with commercial outfits, legislative mechanism is failing to match the speed of adoption. Tech firms are lobbying for less intense biometric regulations that do not hurt their business. Their efforts are either delaying it or making the biometric regulation bills weaker. Except Illinois, neither the Washington Biometric Privacy Act (HB1493), nor the Texas Biometric Identifier Statute (Bus. & Com. §503.001) provide consumers with a private right of action to sue for alleged violations, which explains the lack of similar class actions in those states. Except these three jurisdictions, biometric data of millions of consumers stay vulnerable and they cannot do anything about it. Failed attempts of enacting biometric information privacy bills in several states also exhibit government’s inability in protecting user privacy.

  • Facebook
  • Twitter
  • Reddit
  • Pinterest
  • Google+
  • LinkedIn
  • E-Mail

About The Author

Mary Clark is Product Manager at Bayometric, one of the leading biometric solution providers in the world. She has been in the Biometric Industry for 10+ years and has extensive experience across public and private sector verticals.

Comments are closed.

Have any questions? We will be happy to answer.

Sidebar Contact

Shop online for high quality fingerprint readers

Hamster Pro 20

hamster pro 20
Buy Online

Unity 20 Bluetooth

unity 20 bluetooth
Buy Online

Hamster Plus

hamster plus
Buy Online

Columbo

columbo
Buy Online

Fingerprint applications we offer

Fingerprint SDK

Simple and Intuitive API, NO biometrics programming experience required. Get sample code in C++, C#, VB, Java etc.
Take a Tour

Live Scan

Live scan fingerprinting allows quick and cost effective background checks of individuals.
Take a Tour

Computer Logon

Logon to Windows, Domain, Websites and Applications using fingerprints & create a ”password free” environment.
Take a Tour

Search the Blog

Categories

  • Access Control
  • Archive
  • Automotive Biometrics
  • Background Check
  • Big Data
  • Biometric ATMs
  • Biometric Authentication
  • Biometric Data Security
  • Biometric Device
  • Biometric Identification
  • Biometric Immigration
  • Biometric National ID
  • Biometric News
  • Biometric Passport
  • Biometric Payment
  • Biometric Research
  • Biometric Screening
  • Biometric Security
  • Biometric Spoofing
  • Biometric System
  • Biometric Technology
  • Biometric Terminology
  • Biometrics as a Service
  • Biometrics Comparison
  • Biometrics Examples
  • Biometrics in Banking
  • Biometrics in Education
  • Biometrics in School
  • Border Control
  • BYOD
  • Cloud Communication
  • Cloud-based Biometrics
  • Covid 19
  • Cyber Security
  • Facial Recognition
  • Finger Vein Recognition
  • Fingerprint Attendance
  • Fingerprint Door Lock
  • Fingerprint Recognition
  • Fingerprint Scanner App
  • Fingerprint scanners
  • Fingerprint SDK
  • Fingerprint with Phone
  • Future of Biometrics
  • Guest Blog
  • Hand Geometry
  • Healthcare Biometrics
  • Home Security
  • Hospitality Industry
  • Integration Guideline
  • Internet of Things
  • Iris Recognition
  • Law Enforcement
  • Live Scan Fingerprinting
  • Mass Surveillance
  • Membership Management
  • Multi-factor Authentication
  • Multimodal Biometrics
  • Network Security
  • NFA Fingerprinting
  • Palm Vein Recognition
  • Patient Identification
  • Privacy
  • Public Safety
  • Retail POS
  • Retinal Scan
  • SecuGen RD Service
  • Secure Data Center
  • Signature Verification
  • Single Sign On
  • Smart Card
  • Time and Attendance
  • Two-factor Authentication
  • Vascular Biometrics
  • Visitor Management
  • Voice Authentication
  • Voter Registration
  • Windows Biometrics
  • Workforce Management

About Bayometric

Bayometric is a leading global provider of biometric security systems offering core fingerprint identification solutions. Learn more

Products We Offer

  • Touch N Go
  • Single Sign-On
  • Biometric Access Control
  • Biometric Security Devices
  • Fingerprint Scanners
  • FBI Certified Readers
  • Live Scan Systems
  • OEM Modules

Contact Us

Footer Contact
Sending

Recent from Blog

  • How Does NFA Obtain Your Criminal History Record? February 4, 2023
  • ATF Final Rule (2021R-08F) – Attached Stabilizing Braces January 30, 2023
  • Can Live Scan Detect Masked Fingerprints? January 5, 2023
© 2007 - 2022 by Bayometric | All Rights Reserved.
  • Best Seller
  • Cart
  • Checkout
  • Policies
  • Industries
  • Knowledge Base
  • Sitemap