Biometric Privacy Laws

We have discussed the Fifth Amendment’s application to encryption and biometric information in the past. So now, the purpose of this article is to discuss biometric privacy laws. The State of Illinois has already passed several pieces of legislation to regulate biometric privacy laws. For example, it has passed the Biometric Information Privacy Act (“BIPA”) which addresses the protective measures of biometric information. The statute defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.” It defines a biometric identifier as follows:

A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.

However, these rules seem to miss the mark by imposing statutory damages and fee-shifting provisions on commercial organizations. As a result, the legislators have opened the floodgates to class action lawsuits. It is important to note that biometric technology has evolved in recent years and the statutes that have attempted to regulate the technology may be outdated. Also, the recently-developed biometric equipment are capable of transforming the biometric identifier into an encrypted format which makes it unreadable or unidentifiable. Therefore, this kind of advanced technology prevents the anticipated harm, and as such, the statutory provisions should be updated by the lawmakers.

Now, some states have already passed laws to prevent using facial recognition technology to identify people without their informed consent. This way, the consumers should have control over their personal information. California has passed the California Consumer Privacy Act (“CCPA”) which in essence implements certain safeguards for consumers. It allows consumers to review the information a company has stored about them and a list of all the third parties that data is shared with. It grants the consumers a private right of action against the violators. The statute applies to companies that serve residents and have at least $25,000,000 in annual revenue. It affects companies of any size that store personal data on at least 50,000 individuals or collect more than half of their revenues from personal data sales. The statute refers to and defines biometric information as an individual’s physiological, biological, or behavioral characteristics that can be used to establish individual identity. It includes imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings from which an identifier template can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

It is important to know and understand the various biometric privacy laws. We work with clients regarding internet, technology, and computer laws. Please feel free to contact our law firm in order to speak with an attorney who has knowledge about biometric privacy laws.