What is Biometric Data?
As technology advances, so do the ways that businesses use data. One of the most popular new trends is biometric data. Global privacy laws and regulations vary in their definitions of biometric data (**see below), which broadly speaking, is a set of markers that are specific to a person’s identity. This includes biologic traits such as fingerprints and facial recognition, voice patterns, DNA, and even behavioral patterns like typing style and biometrics from wearable devices. Biometric data is used for many purposes, from authentication, such as unlocking your phone using facial recognition or your fingerprint, to tracking employees’ time and attendance. While this type of data offers numerous advantages to consumers and businesses, it also brings with it a complex legal landscape.
**For example, California’s CCPA as amended by the CPRA (“CCPA”) defines “Biometric information” as “an individual’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information” (Cal. Civ. Code 1798.140 (c); Illinois’ Biometric Information Privacy Act (“BIPA”) provides a more narrow definition and defines “Biometric identifier” and “Biometric information” separately (740 ILCS 14/10); and Article 4(14) of the GDPR, defines “biometric data” as “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
Are there specific regulations governing collection and use of Biometric Data?
In the United States, the specific regulations governing how biometric data can be collected, used and stored vary by state. For example, Illinois’s BIPA was enacted in 2008 and is one of the most stringent regulations in place when it comes to collecting, using and storing biometric data. California’s CCPA regulates biometric data by including it in the definition of personal information. Other states including Texas, New York, Washington and Arkansas have also followed suit with their own regulations and breach notification laws concerning biometric data.
What do businesses need to do to comply with the regulations on Biometric Data?
The best way to ensure compliance with these regulations is through comprehensive internal policies, and external terms and conditions and privacy notices for customers that clearly outline how biometric data will be collected, stored, and used by your business. Most importantly, biometric data must never be collected without an individual’s consent. In general, the privacy notice should include:
- The type(s) of biometric data that is being collected;
- The purpose(s) for which the biometric data will be used;
- The business’s data retention policy outlining how long the data can be stored before being deleted or destroyed (depending on its purpose);
- Information about who has access to it and what they are allowed to do with it;
- The security measures, such as encryption or pseudonymization, that the business uses;
- Instructions on how individuals can opt out of or limit the collection of their biometric data.
If you are collecting biometric data from customers or employees in Illinois, California or any other state with its own laws on the collection and storage of biometric data, then you must adhere strictly to those laws as well to assure compliance.
Are there penalties for businesses that do not comply with regulations on Biometric Data?
If your business collects, stores, or uses biometric data without complying with applicable laws, your business could be subject to some pretty hefty penalties. In Illinois and California for example, the consequences for not complying with biometric data laws can be expensive. Under Illinois’s BIPA, businesses that fail to comply with BIPA’s biometric consent provisions, may face a $1,000 fine for each negligent violation, and $5,000 or more if the violation is reckless or intentional. Several cases, including Rosenblack v. Six Flags Entertainment Corp. in 2019, Patel v. Facebook in 2020, and a class action lawsuit in 2022 – Rogers v. BNSF Railway Company, focused on the lack of individuals’ written consent for collection of their biometric data and put BIPA in the headlines in a big way. Under California’s CCPA, businesses can be fined $2,500 per violation lacking intent and up to $7,500 per intentional violation of the CCPA.
Meanwhile in the EU, failure to comply with the GDPR can result in hefty fines imposed by regulatory authorities — up to 20M Euro or 4% of the global turnover, whichever amount is greater.
Final Words
Navigating the legal landscape surrounding biometric data can seem daunting at first but ultimately understanding the responsibilities and obligations when it comes to collecting this type of sensitive information will help keep your business compliant now and will protect it from potential legal issues down the road. The key is staying abreast of the latest legal developments in laws concerning biometric data protection and having comprehensive policies in place that cover every aspect of how your business collects, uses and stores biometric data. By doing so, you can be confident that you’re protecting your customers’ and employees’ biometric data while still harnessing the benefits of this powerful technological tool.
Jenya Beylin is a Senior Attorney at Meyer Law, one of the fastest growing law firms in the United States. Jenya helps companies with domestic and international privacy, data protection and compliance matters. Jenya is a blog contributor at Meyer Law and is a member of the International Association of Privacy Professions (IAPP). Learn more about Meyer Law here and follow us on Instagram @loveyourlawyer