Texas and Washington also have sweeping biometric privacy laws, but neither creates a private right of action. Yet other states like Arizona and New York have adopted personalized biometric privacy measures, and many others have enacted laws specifically targeting the use of facial recognition technology. Thales attaches great importance to risk assessment and the ability of private operators to manage these risks. Similarly, the legal and social implications are also important. In the United States, there is no single, comprehensive federal law governing the collection and use of personal information in general, or biometric information in particular. Instead, the country has a patchwork of federal and state laws and regulations that can sometimes overlap or contradict each other. Several Illinois-led states and local governments have enacted or are in the process of enacting specific laws to govern the collection and use of biometric information. In-house counsel need to be aware of the issues surrounding biometrics, particularly when it comes to privacy issues. This article explains the basics of biometric privacy. Use our Chart Builders tool to review data protection laws regarding biometrics from state to state. The subsequent wave of regulatory action came as part of a new push for criminal justice reform in the United States. The use of facial recognition technology by law enforcement agencies – to identify individuals, track group or individual movements in cities, or (often with flimsy scientific claims) determine a person`s emotions, sexual orientation or racial identity – has led many communities to ban this type of biometric application.
Bans were recently enacted in the cities of San Francisco and Oakland, California, in 2019; Portland, Oregon in 2020; and Minneapolis, Minnesota in 2021, to name a few. In other words, if companies collect biometric data such as fingerprints or facial prints without explicit consent, they can be prosecuted. New York amended its existing data breach notification laws with the Stop Hacks and Improve Electronic Data Security (SHIELD) Act of 2019, which went into effect in early 2020. The SHIELD Act extends the definition of private information to biometric information. It defines biometric information such as fingerprints, voiceprints, retinal or iris images, or other unique physical characteristics. Interestingly, it also includes other forms of unique digital representation of biometrics used for authentication purposes. Previously, New York had also passed limited biometric legislation, N.Y. Lab. Law § 201-a, which applies specifically to the employment context. It prohibits fingerprinting “as a condition of obtaining or retaining employment.” It does not expressly provide for a private right of action.
While biometric laws apply broadly to all industries and regulate private companies and individuals, compliance issues most often arise in HR and employment contexts. Many U.S. employers have recently begun using their employees` biometric information to monitor when their employees enter and exit, or to restrict access to secure areas, to provide system logins and regulate online access to sensitive data, and even to monitor productivity tracking and ergonomic tracking. Although the practical, highly accurate and effective use of biometric technology at work leads to a number of legal and regulatory compliance issues. The now famous California Consumer Privacy Act (CCPA), which will go into effect in 2020, also regulates biometric data by including it in the definition of personal data. As more states adopt comprehensive privacy laws, companies that collect and use biometric data, or plan to do so, must pay close attention to establishing policies and procedures, implementing appropriate security measures, and being aware of the notification and consent requirements imposed by various laws. In addition, the Regulation allows Member States to introduce additional restrictions on the processing of biometric data. The EFF, which has been joined by several civil liberties and immigrant rights organizations, recently filed a comment calling on the Department of Homeland Security (DHS) to withdraw a proposed rule that would exponentially expand the collection of biometrics from U.S.
citizens and non-citizens who apply for and authorize immigration benefits. Unlike Illinois, other states don`t yet have full biometric requirements. In 2009, Texas passed its own biometric privacy law, Tex. Code Com. §503.001. It states that “a person shall not collect a biometric identifier” without prior consent, may not sell biometric data without consent or unless permitted by law, must exercise due diligence when storing it, and “shall destroy the biometric identifier within a reasonable time.” While it imposes a hefty civil penalty of “$25,000 for each violation,” unlike BIPA, there is no private right of action. Rather, it is the Attorney General who has the right to enforce the law. Biometric data collected by the Ministry of Defense is managed by the Defense Forensics & Biometrics Agency (DFBA).
The DFBA consolidates and coordinates forensics and biometrics across the Ministry of Defense to support identity activities in a range of military operations. The ability to identify individuals using biometric technologies and forensic exploitation enhances many different areas of employment and enables the Department of Defense: according to reports, more than 200 BIPA lawsuits were filed in 2018-2019 alone. Most of these cases are class action lawsuits, and most target employers who use biometric technology in the workplace. These lawsuits are increasing, costly and difficult to defend. In California, Facebook continues to defend an alleged class action lawsuit alleging that the company violated BIPA when it illegally used its facial recognition software on photos that users upload to the site.