Biometric Data Protection: A Growing Trend in State Privacy Legislation

The use of biometric data as a means of securing technology is widely viewed as a more robust and convenient method of identity authentication, particularly when compared to such practices as username-password combinations or physical security badges. However, this security method is also uniquely vulnerable to cybersecurity threats targeting the highly sensitive data (fingerprints, DNA, facial scans, etc.) being collected and stored, which raises a number of important legal and privacy concerns. For instance, if a database of biometric data is hacked, who is responsible? What if an employee does not want to their biometric data to be used as a key to unlock an employer’s computer systems? Can biometric data from a fitness device be used to determine eligibility for healthcare or insurance coverage[1]?

Protecting biometric data is one of many issues facing regulators in the U.S., primarily at the state and local levels where significant privacy legislation is being enacted in the absence of a comprehensive federal privacy law. Although 12 states have now adopted data privacy laws, only three states and one city – Illinois, Texas and Washington and New York City – currently have specific biometric privacy laws on the books[2]. And of those, Illinois’ law is considered the most potent and impactful given its broad scope and private right of action.

Overview of Biometric Privacy Laws in the U.S.
First, it may be helpful to level set on the term ‘biometric data.’ A commonly accepted definition is that of the EU’s General Data Protection Regulation (GDPR), which defines it to include any personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprint data.

Currently, there are 4 biometric privacy laws in the U.S.:

• Illinois’ Biometric Information Privacy Act (BIPA), adopted in 2008, is one of the first laws in the nation to regulate the use of biometric identifiers and biometric information. It is fast becoming a blueprint for other states. Its key provisions are reviewed below.
• Texas’ Capture or Use of Biometric Identifier Act (CUBI), passed in 2009, essentially restricts the use of biometric data for commercial purposes, unless notice and consent is obtained from the affected individual.
• In Washington, two laws are currently in effect. The Washington Biometric Law prohibits the use of biometric data for commercial purposes, while the 2023 My Health, My Data Act offers protections similar to those in the BIPA for personal health data not covered by HIPAA.
• At the local level, New York City has a biometric privacy law in effect, which applies only to the collection of customer biometric information.

Additional Regulation via State Consumer Privacy Laws
In addition to the laws described above, a number of states address the use of biometric data within their consumer privacy statutes[3], deeming such data “sensitive information” to which the most stringent protections will apply.

Typically, these laws require entities collecting and using sensitive biometric data to notify individuals at the time of collection[4] of the following:

• the organization collects, stores or uses biometric information;
• the purposes of such actions; and
• how long the organization uses or stores the biometric information.

Additionally, some of these laws may also require such entities to:

• Process only the limited amount necessary for the purpose; and
• Obtain the consent of the individual for the use and collection of the sensitive data biometric identifiers or biometric information.

Finally, it is worth noting that some laws, like the CPRA, do include private rights of action.

A Closer Look at Illinois’ BIPA
As more states consider adopting biometric privacy legislation, BIPA has emerged as a blueprint to follow; therefore, it is worth exploring in closer detail.

Key Definitions
Under the BIPA, a “biometric identifier” is defined as a fingerprint or retina or iris scan; and “biometric information” is any information used to identify an individual that is based on that person’s biometric identifier.

Scope
Unlike other legislation of its kind, BIPA’s scope is not restricted to commercial uses of biometric data only. Basically, the law prohibits the collection of biometric data, unless an entity first (a) informs the subject that the information is being collected, (b) provides the reason for the collection, and (c) obtains a release from the subject for the use of the information. Further, if that information is to be disclosed to another party, the entity must obtain the subject’s consent for the disclosure or re-disclosure. In other word, informed consent is required by BIPA.

Service providers receiving biometric data are also obligated not to use such information for any reason other than the stated contractual purpose and to delete the data after use. And in the employment context, BIPA requires employers to obtain both informed consent and a written release executed by an employee as conditions of employment.

Informed Consent Requirements
In a recent case before the Illinois Supreme Court[5], the court held that informed consent is required each and every time biometric information is collected. Under BIPA, informed consent requires both notice and receipt of the subject’s release. Specifically, an entity must:

• Notify each individual or their authorized representative in writing (usually by referencing a privacy policy and terms of use covering the use of personal data):
  • that the organization collects or stores biometric identifiers or biometric information;
  • the purposes for collecting, storing, and using the biometric identifiers or biometric information; and
  • how long the organization uses or stores the biometric identifiers or biometric information; and
• Receive the individual’s or their legal representative’s written release to collect biometric identifiers or biometric information.

Mandatory Policy and Security Measures
In addition to requiring consent, BIPA requires entities using biometric data to develop a publicly available written policy that includes a retention schedule and guidelines for permanently destroying the biometric identifiers and biometric information when the initial collection purpose no longer exists or within three years of an individual’s last interaction with the private entity, whichever is earlier. Security measures designed to safeguard the information are also required. 

Best Practices for Collectors of Biometric Data
Entities that collect and use biometric data – whether for their own use or as a service provider – are encouraged to familiarize themselves with any applicable laws relating to this practice. Although specific requirements will vary from state to state, the following elements are generally considered best practices for biometric data protection:

• Giving notice at the time of collection and obtaining verifiable consent (as proof that the individual knew and agreed to the collection, if needed in the future)
• Providing a clear statement of purpose for the collection
• Limiting use of biometric data to only the disclosed purpose
• Storing data for the least amount of time possible 
• Updating privacy policies and terms of use to ensure biometric data measures are included and easily understood

Organizations also may wish to review existing cyber liability insurance policies to ensure coverage of the use and collection of biometric data, particularly in light of the proliferation of new laws and private rights of action.

Special Considerations for Employers
Employee data is typically treated differently than consumer data under the law by virtue of the fact that employees essentially must allow employers to process their data. GDPR set the standard here requiring employers to have a “legitimate interest” in order to process employee data and disallowing the use of consent as a basis for processing. Following suit, Illinois’’ BIPA requires a written release in addition to informed consent.

For this reason, employers collecting biometric data should be thoughtful in how they approach employees. For instance, In addition to procuring a written release signed by employees, providing written notice at the time of collection (which states the reasons for the processing) and requesting employee acknowledgement of the collection for each stated use are now considered best practices. Offering employees security options that do not include the use of biometric data is also appropriate.  

Conclusion
The proliferation of biometric security measures has been a double-edged sword for businesses. Despite offering convenience and robust protection, they are also ripe with the potential for abuse and misuse. The introduction of biometric privacy laws by several states is a clear sign that regulators recognize the risks and the need to protect citizens and their highly sensitive personal data.

As with any type of personal data collection, organizations cannot go wrong by adhering to the basic principles of privacy by design, which are: collect only what is necessary to the purpose and delete any data securely when no longer required.

If you have questions about biometric privacy laws or privacy issues in general, please contact Lori Ross at [email protected].

Lori Ross brings over 25 years of experience advising clients on commercial law and privacy issues. Although she has represented companies across a range of industries, her practice focuses on new and emerging tech, manufacturing and media companies. Lori holds the International Association of Privacy Professionals (IAPP) designations in U.S. and European privacy law – CIPP/US and CIPP/E. She is also an IAPP Certified Information Privacy Manager (CIPM).

---

1Biometric data subject to HIPAA is not addressed in this post.

2 The New York Biometric Privacy Act is currently under consideration by the New York State Senate and Assembly.

3 California (in both the California Consumer Privacy Act and California Privacy Rights Act), Virginia, Colorado, Connecticut and Utah. Delaware, Texas, Oregon, Montana, Iowa and Florida are expected to have similar laws coming into effect in 2024 and 2025.

4 Utah does not require prior consent but does require that an individual have the opportunity to opt out of the collection and use of the biometric information.

5 Cothron v. White Castle (2023 IL 128004, February 17, 2023)