Article

Navigating Biometric Data Regulations

06/27/23
Travis Jarae
Travis Jarae
Liminal CEO
Gilad Rosner
Gilad Rosner
BIPA and global privacy laws

Understanding BIPA and Global Privacy Laws

In this blog post: 

  1. Biometric data regulations are essential to navigate and comply with to protect individuals’ privacy rights.
  2. Companies must prioritize informed consent from individuals before collecting and using their biometric data.
  3. Companies must understand the risk associated with facial recognition technology and data collection and balance the benefits against the potential risks.
  4. Complying with biometric data regulations can demonstrate a commitment to privacy and security, fostering customer trust and ethical and responsible data handling.
  5. Aligning innovation efforts with compliance requirements, businesses can continue developing innovative biometric technologies and services while protecting privacy.

In recent years, the use of biometric data has become increasingly popular in various industries, including technology, healthcare, and finance. Biometric data refers to unique physical or behavioral characteristics that can be used to identify individuals, such as fingerprints, facial recognition data, and iris scans. However, collecting, storing, and using biometric data have also raised concerns about privacy and security, leading to regulations worldwide, including the Biometric Information Privacy Act (BIPA) in Illinois.

BIPA has been in effect since 2008 and is a critical regulation governing the handling of Illinois biometric data. The act applies to all private entities that collect, store, or use biometric data, regardless of their business size, and has significant consequences for non-compliance. Other US states, such as Texas and Washington, have similar regulations that regulate the collection, use, and storage of biometric data.

In addition to complying with local regulations, companies that collect, store, or use biometric data must also implement strong data protection and security measures to protect individual’s privacy rights and prevent fraud. Biometric data is particularly sensitive as it is often used for authentication and security purposes, which means that companies that offer biometric authentication services, such as facial recognition or fingerprint scanning, may face greater scrutiny and regulatory requirements.

Outside of the United States, many other countries also have laws and regulations that regulate the collection, use, and storage of biometric data. The European Union’s General Data Protection Regulation (GDPR) is widely regarded as the world’s most comprehensive data protection regulation, and the handling of biometric data falls under its most stringent requirements. Other countries, such as India and Australia, also have strict biometric data regulations, including requirements for explicit consent, data security measures, and penalties for non-compliance.

Biometric Information Privacy Act (BIPA): Obtaining Informed Consent 

BIPA compliance mandates that companies obtain informed consent from individuals before collecting and using their biometric data and establish reasonable security measures to safeguard that data. However, “reasonable security measures” may be difficult to define, and no one-size-fits-all solution exists. Companies must assess their specific risks and vulnerabilities, implement suitable technical and organizational measures to address them, and monitor the outcomes of BIPA court cases involving security questions.

To obtain informed consent under BIPA, companies must provide individuals with written notice of the specific purpose and duration for which their biometric data will be collected, stored, and used. They must also secure a written release from the individual. Best practices for obtaining informed consent include providing clear and concise notices, obtaining separate consent for different uses of biometric data, and offering individuals the opportunity to opt out of specific uses.

As a company that collects and uses biometric data, it is crucial to ensure that third-party vendors and partners who handle this data on your behalf are also compliant with BIPA regulations. One way to guarantee compliance is to include specific language in contracts and service-level agreements that outline BIPA compliance requirements. In addition, you should conduct due diligence on third-party vendors and partners to certify that they have the appropriate policies and procedures in place to safeguard biometric data.

Companies must understand the severity of non-compliance with biometric regulations. Individuals have the right to sue under BIPA, and a slew of class action lawsuits have occurred since its passage, most settling out of court with costs ranging into hundreds of millions of dollars. Not only that, but regulatory agencies can impose fines and other penalties on companies. Data breaches and unauthorized or fraudulent access to biometric data can also seriously affect a business. In addition to civil penalties, companies may suffer reputational damage and loss of customer trust. 

Balancing the Risks and Benefits of Biometric Data Collection and Storage

Several potential risks are associated with the collection and storage of biometric data. One such risk is the possibility of data breaches or unauthorized access to sensitive personal information, leading to identity theft and other forms of fraud. Another risk is companies’ or individuals’ potential misuse of biometric data for nefarious purposes, such as surveillance or discrimination. Furthermore, there is a risk that biometric data may not be accurate, which can lead to false positives or negatives and can have serious consequences for individuals. Therefore, companies must implement robust data security measures and ethical practices when collecting and storing biometric data.

Regarding handling biometric data, BIPA compliance requires companies to implement reasonable security measures such as encryption, access controls, and regular security assessments. However, it is equally important for companies to ensure that their data privacy practices meet broader regulatory requirements, such as those that fall under the GDPR or CCPA. This may entail a comprehensive review of existing policies and procedures and ongoing monitoring and training to ensure employees follow best practices.

While compliance may present challenges for companies that collect, store, and use biometric data, it is important to note that these regulations don’t have to stifle innovation. Using compliance can help foster trust with customers and other stakeholders by demonstrating a commitment to protecting their privacy and security. By implementing strong data privacy and security measures, companies can continue to innovate and develop new biometric technologies and services while complying with various data security and privacy regulations.

As technology evolves, additional regulatory developments will likely be related to biometric data privacy. To ensure ongoing compliance, it is imperative to conduct regular assessments of policies and procedures to ensure they are up-to-date and compliant with any new regulatory requirements.

Opportunities and Challenges of Biometric Data Privacy Regulations and Compliance 

Biometric data privacy regulations require companies to obtain written consent from individuals and implement appropriate data security measures to protect biometric data from unauthorized access and disclosure. Compliance can be challenging, especially with the increasing use of facial recognition technology, and can be complex and expensive for companies.

However, companies can also benefit from the regulation by developing innovative and effective biometric data security measures, giving them a competitive edge in the marketplace and building trust with customers and stakeholders. Communicating a company’s compliance with biometric data privacy regulations to customers and stakeholders can establish trust and demonstrate a commitment to ethical and responsible data-handling practices.

Several companies, including Microsoft, Google, Facebook, and Apple, have implemented measures to protect individuals’ biometric privacy rights and comply with related regulations. For example, Microsoft complies virtuously, giving individuals control over their biometric data. Google has committed to not using biometric data for advertising purposes and has implemented robust data security measures.  

Regulatory Frameworks for Biometric Data Handling in Different Jurisdictions

The use of biometric data is increasing worldwide, which means that companies and organizations must handle this sensitive information responsibly and ethically. To do so, they must comply with the laws and regulations in their respective jurisdictions and implement strong data security measures to protect individuals’ privacy rights.

For example, the EU’s GDPR includes specific provisions related to biometric data, requiring explicit consent for processing and mandating secure processing. Other countries, such as Canada and Australia, also have laws regulating biometric data collection, use, and storage. Even countries without specific laws, like the United Kingdom, have guidelines for using biometric data in the workplace and public spaces.

GDPR is widely regarded as the world’s strictest biometric data regulation due to its comprehensive scope, stringent requirements, and significant penalties for non-compliance. Other countries, such as India and Australia, also have strict biometric data regulations, including requirements for explicit consent, data security measures, and penalties for non-compliance.

Companies handling biometric data must follow regulations in their respective jurisdictions and implement strong data security measures to protect individuals’ privacy rights.

  • Biometric Information Privacy Act (BIPA) – United States: BIPA is a state-level regulation in Illinois that requires companies to obtain written consent from individuals before collecting, storing, or using their biometric data. The regulation applies to biometric data such as fingerprints, facial recognition, and iris scans. Companies must also have a written policy for retaining and destroying biometric data and must protect the data using reasonable safeguards.
  • General Data Protection Regulation (GDPR) – European Union: The GDPR is a comprehensive data protection regulation that applies to all personal data, including biometric data. The regulation requires companies to obtain explicit consent from individuals before collecting, storing, or using their biometric data. Companies must also provide individuals the right to access, correct, or delete their biometric data. The GDPR requires companies to implement technical and organizational measures to protect biometric data from unauthorized access and data breaches.
  • Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada: PIPEDA applies to all personal information, including biometric data, and requires companies to obtain consent before collecting, using, or disclosing their biometric data. Companies must also be transparent about the purposes for collecting biometric data and must take reasonable steps to protect the data from unauthorized access, use, or disclosure.
  • National Biometric Identification System (NBIS) – India: The NBIS is a government-run biometric identification system collecting and storing biometric data from Indian citizens, including fingerprints and iris scans. The system is used for various government services, including banking, healthcare, and welfare. The government has implemented strict security measures to protect biometric data and has faced criticism for potential privacy violations.

Regulations governing the use of biometric data share similarities in requiring consent and data protection measures but differ in approach and scope. As the use of biometric data increases globally, companies must handle this information responsibly and ethically, comply with local laws and regulations, and implement strong data security measures. Certain industries may face higher risks and challenges due to the nature of their operations and the sensitivity of the data they manage.

Share this Article