As voice recognition and facial scan technology has improved, organizations are increasingly employing the use of biometric identifiers in the authentication processes for devices and online applications and accounts. Surprisingly, there is no comprehensive federal statute or regulation governing the collection, protection, use or disposal of biometric data. The U.S. Federal Trade Commission has only issued recommended best practices for use of facial recognition, and not promulgated any rules. These best practices, however, are nonbinding and serve only as guidance. In addition, until recently, there have been only two states which have adopted laws regulating the use of biometric data—Illinois and Texas. In May 2017, Washington become the third state to enact a law governing the collection, use and retention of biometric data.
In 2008, Illinois passed the Biometric Information Privacy Act, which set forth a comprehensive set of rules for the collection and use of biometric data. Organizations must provide written notice prior to the collection of any biometric identifier. The notice must include the purpose of the collection and the duration that the organization will use or retain the data. Only after obtaining the written consent can organizations begin their collection activities. Once they have collected biometric data, the BIPA requires organizations to protect that data in the same manner it would protect other sensitive and confidential information using the reasonable standard of care in its industry. In addition, the BIPA requires organizations to have a publicly available written policy stating how long the organization will retain the data and rules governing the destruction of that data.
The BIPA prohibits organizations from selling or otherwise profiting from the biometric data they collect. It further prohibits organizations from disclosing biometric data unless (1) they obtain consent; (2) the disclosure completes a financial transaction requested by the individual; (3) the disclosure is required by federal, state or municipal law; or (5) the disclosure is required by a valid warrant or subpoena.
The BIPA provides a private right of action for violations of the statute and entitles a prevailing party to statutory damages for each violation equal to the greater of $1,000 or actual damages for negligent violations, and the greater of $5,000 or actual damages for intentional or reckless violations. The existence of the private right of action has led to the considerable litigation with Facebook, Google, Shutterfly and Snapchat over their use of facial scanning and/or recognition technology.
Texas enacted its own biometric data law shortly after the passage of the BIPA. Similar to the BIPA in many regards, the Texas law required informed consent by individuals before organizations could begin collecting biometric identifiers. However, the consent did not need to be written. The Texas biometric law also imposed limitations on the sale of biometric information and set forth security and retention requirements. Only the Texas Attorney General can enforce the state’s biometric law as the law does not provide for a private cause of action.
On May 16, 2017, Washington became the latest state to pass a law regulating biometric data effective as of July 23, 2017. The Washington statute defines “biometric identifiers” as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.” Significantly, perhaps in response to the litigation generated by the BIPA, Washington’s definition of “biometric identifiers” expressly excludes “physical or digital photograph, video or audio recording or data generated therefrom.” It also excludes information “collected, used, or stored for health care treatment, payment or operations” subject to HIPAA. The statute also possesses a security exception, exempting those parties that collect, enroll or store biometric identifiers in furtherance of a “security purpose.”
Washington’s biometric data law applies only to biometric identifiers that are “enrolled” in a commercial database, which is defined as “captur[ing] a biometric identifier of an individual, convert[ing] it into a reference template that cannot be reconstructed into the original output image and stor[ing] it in a database that matches the biometric identifier to a specific individual.” Organizations may not enroll a biometric identifier unless they provide notice and obtain consent. The statute does not require a specific type of notice. Instead, it states that notice is “context-dependent” and only needs to be “given through a procedure reasonably designed to be readily available to affected individuals.” The statue, however, specifically notes that “[n]otice… is not affirmative consent.”
Absent consent, an organization may not sell, lease or disclose biometric data to a third party for commercial purposes, except where a statutory exception applies. These exceptions include where necessary to provide a product or service requested by the individual and where disclosure is made to a third party “who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose” that is inconsistent with the law. Even with consent, organizations may not use the biometric data they collect for any purpose that is “materially inconsistent” with the original purpose of the collection.
The Washington biometric statute imposes security and retention requirements. Organizations must exercise reasonable care to guard against unauthorized access to and acquisition of biometric identifiers. They must also retain biometric identifiers for no longer than necessary to comply with the law, protect against fraud, criminal activity or other security threats, or provide the service for which the biometric identifier was collected.
Like the Texas biometric data law, the Washington biometric data law does not provide a private right of action. Only the Washington Attorney General can bring an action to enforce the statute under the Washington Consumer Protection Act.
In the absence of federal legislation, state laws regulating the collection, use and retention of biometric data appear to be imminent. Pending bills governing biometric data are currently pending in the Alaska, Connecticut, Montana and New Hampshire legislatures. Given the proliferation of biometric information as a means of identification and authentication, it is only a matter of time before more states adopt similar laws.