U.S. States Enact BIPA: Legal Framework for Biometric Information Privacy

Before the inception of online services, brick and mortar stores and outlets did the job of facilitating them off-line i.e. in physical mode. To buy a product or avail a service, you had to reach stores, outlets, or other forms of physical presence. These businesses collected (and they still do) personal details of their customers required for availing a service. In the off-line era, the information you left behind was more or less used for contacting or identifying you regarding the service, no strings attached. Back then, there was no legal framework that how businesses would use this information. But now time has changed, services have gone digital, many of them do not even have a physical presence anymore. Personal data of users has become a weapon of dominance in the market.

Bigger corporations that provide online services are collecting more information than ever, infringing user privacy to an unacceptable level. They know your favourite smartphone brand and even the brand your cat likes for her food, if you ever bought or searched them online. This activity is made legal in Privacy Statement and Term & Condition that we click before buying or signing up for a service.

Now reaching physical stores or outlets sounds like a cumbersome task as most things can be done via the internet. Online services are no more limited to sending email, voice calling or instant messaging. Shopping, food, payments, banking, citizen services by the government, etc. have already marked online presence. Availing a service requires users to provide some personal data like name, date of birth, phone number or email address. Despite the diversity in services available online, there is a one thing common in most of these: They collect user data and use it for their own benefit. Service providers can leverage user data in many ways. Tech firms like Google and Facebook use it for personalized advertising. They may provide this data to their associated for their own purpose, increasing the severity of outcomes. Some of them can even sell it to the third parties.

These days, data provided in offline mode (e.g. on paper based forms, documents, etc.) also end up on information systems or eventually the internet. Data provided by users or generated by their online activity is a valuable asset for tech firms. Firms with high volumes of user data dominate the market. Digital service providers add disclaimers, terms and conditions to make their actions legal. Users, however, hardly bother to read associated Terms and Conditions their consent is all taken by a simple click. This ignorance does not make Terms and Conditions or Privacy Statement text any less severe. You single click on “Accept” button enables a service provider use (or misuse) your personal data, with legal authority.

As businesses are increasingly implementing biometric recognition technology for authentication, user biometrics has become a potential target of data collection. There are many firms keenly interested in collecting user biometrics. Collection of user data in the past formed today’s tech giants like Google and Facebook, collection of user biometrics can have the similar fate for the companies having hold of most biometric data. Biometrics is unlike any other form of user data. When passwords are used for user authentication method, they are saved within a service provider’s system in a format hard to decipher by hackers or criminals. Even if they are able to decode passwords, they can be changed at user end. Biometrics, however, is a different story. You can change your phone number or email address or even password, but not your fingerprints or iris pattern. This fact alone is enough to imagine what can be the cost of losing biometric data.

Biometrics has received its due acceptance in recent years and commercial applications of this technology are taking over the market. Organizations, which are leveraging user biometrics for authentication, are required to store biometric data in a secure environment. Services providers have been doing the same with passwords for many years and despite their efforts, data security incidents take place. It also raises concern of security of biometric data. Issue of privacy gets complicated when it comes to biometrics. Present privacy law is insufficient to protect biometric data of users. Issue of biometric information privacy is not limited to online services; biometric data of students in K-12 schools, employee data collected by employers, biometric data of patients, members of various outfits, etc. further intensify the need of a legal framework for the collection and use of biometric data.

Biometrics is going to be next big thing in user identification and authentication. Payment authentication with a selfie, voice authentication for tele-banking and fingerprint scan to print boarding passes at airports are already a reality. Biometrics is inevitable and going to replace traditional ways of user authentication completely in some point of time. Since biometrics is way more efficient and easy to use than traditional authentication methods, usage of biometrics has already exploded in commercial application. This will lead to collection of huge volume of user biometrics from business and institutions. Fate of user biometrics cannot be left without a legislation to protect it.

Since a person’s biometrics cannot be changed if compromised, it poses a greater risk than all other forms of data and requires specific law to be framed for protecting biometric data. Soon most systems will be using biometrics for personal identification and authentication, losing biometric data can be disastrous. Though it is not possible to create original biometric pattern of users with biometric templates, the possibility cannot be entirely overruled. It will lead to biometric identity theft and fraudulently authenticate transactions.

Permanence of a biometric identifier is considered a favouring characteristic for the technology, however, it becomes a threat if this biometric data is compromised. More and more businesses are taking up biometrics for user identification. Social networks are using face biometric to recognize users on the photos they post. This level of intrusion grabbed attention of privacy advocates and eventually paved the way to biometric information privacy law. Since commercial outfits, specially those which are in information technology business, collect way more user data, fate of biometric data was highly uncertain without a legal framework to protect it.

Understanding the criticality of the subject matter, the U.S. states are enacting Biometric Information Privacy Act to fill the gap that has remained in current user data privacy laws. Since legal framing of biometric usage of user biometrics has been loosely framed in previous laws a law like BIPA was long awaited. BIPA was required to ensure companies do not collect and use biometric data in ways that compromised an individual’s right to privacy.

Illinois has passed Biometric Information Privacy Act (740 ILCS 14/1 or BIPA) in 2008. Texas has also codified the law for capture of use of biometric identifier (Tex. Bus. & Com. Code Ann. §503.001) in 2009. Following the trend, the Governor of the Washington State signed into law House Bill 1493 (“H.B. 1493”) on May 16, 2017, which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes.

BIPA is also underway in several other states, leading way to cover the whole country in future, however, there is no timeline as of yet. Users can take a sign of relief as states are enacting BIPA, however, technology firms do not look too happy about it. They want more control how they use user data including biometrics. Aggressive lobbying by companies interested in gathering user biometrics has delayed the implementation of BIPA in many states.

If you lose your government ID, it can be cancelled and a new one can be issued by the concerned department. This reissuance is not possible with biometric data, if it is compromised once, compromised forever. Biometrics data is handle-with-care case. Biometric Information Privacy Act is expected to make a difference how commercial outfits collect and use biometric data. The bill has been implemented in some states and underway in several others. Businesses are not at all in favour of this law and lobbying for make it more favourable for them as they want more control on users’ biometric data. BIPA, however, is expected to be implemented across the United States gradually, paving the way to user privacy.