By Vanessa Chang[i]
Most of us never would have imagined that there would come a day when we would flinch at the thought of touching a credit card machine or at the prospect of leaving the safety of our homes simply for groceries. In the wake of coronavirus (COVID-19), the “new normal” altered businesses operations across the board. Technology – specifically security and biometric technology – will also undoubtedly figure prominently as businesses and organizations look to help alleviate the spread of COVID-19 and manage growing consumer awareness of pathogen management in the future.
Thermal imaging and contact tracing are two examples of how businesses approach and use security systems.[ii] Access control, the first consideration in any security environment, will be significantly impacted as businesses adopt contactless biometric technology (e.g., biometric entry devices) in response to customers’ hesitation to come into contact with objects that others have touched.[iii] As these measures provide a sense of safety and comfort for consumers and employees, businesses need to be mindful of the potential violation of some biometric privacy laws. For example, the implementation of contactless infrared facial scanning to scan consumers’ temperatures when they enter stores or restaurants can violate biometric privacy laws, if made without consent. Under Illinois’ Biometric Information Privacy Act (BIPA), capturing of biometric identifiers, including “a scan of facial geometry,” without a person’s consent constitutes a violation. Although the intended purpose of contactless infrared facial scanning is to measure consumers’ temperatures, it could still capture the consumers’ facial geometry, nonetheless.[iv]
There is no uniform set of laws regulating the collection of biometric data in the United States, and – prior to 2018 – only three states (Illinois, Washington, and Texas) had passed biometric legislation at the state level.[v] While the Washington legislation excludes “physical or digital photographs, video or audio recording or data generated therefrom” and facial recognition or records from its definition of biometric identifiers, BIPA does include a private right of action, which the Electronic Frontier Foundation dubs as the “gold standard for biometric protection nationwide.” Class action plaintiffs have focused primarily on organization’s failure to comply with BIPA’s notice and consent mandates. To date, most lawsuits emerged from instances such as the improper use of facial recognition technology and the improper collection and use of fingerprints, especially in the workplace context.[vi]
After COVID-19, more states have taken action. For example, both California and Oregon have implemented state-wide legislation designed to protect consumer privacy. On January 1, 2020, both California and Oregon’s biometric privacy laws went into effect. Specifically, the California’s Consumer Privacy Act expressly defines biometric information as one type of personal information that may be regulated by state privacy laws and gives consumers rights to control how businesses use their personal information.[vii]
As shelter in place mandates were implemented nationally, New York completed the enactment of its own law, Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which addressed biometric information, in March of 2020.[viii] The Act revised New York’s 2005 breach notification law and included biometric information within its definition of personal information. The Act also expanded protection for residents’ personal information by including biometric data as a type of information that is subject to the Act when businesses are developing and employing reasonable safeguards as required by the Act.[ix]
In addition to these efforts, at least 11 other states have attempted to pass similar laws, although most have not successfully been enacted. This was mostly because the legislations died in committees or chambers. Presently, only Arizona, Massachusetts, and Hawaii have pending biometric legislation.[x]
Even though other biometric technologies that require contact, such as a fingerprint, will not disappear immediately, contactless biometric technologies could rise in popularity.
It is apparent that the use of biometric technology could be essential to protecting public health and safety and consumers expect protection. However, without uniform laws, current privacy laws fail to provide businesses with guidelines for safe implementation. While some states like Illinois and Texas have enacted stringent biometric regulations, there are still many states left without any privacy laws addressing biometric technologies.
Biometric tools represent worthy approaches and the technology will undoubtedly evolve. Therefore, it is important now than ever for businesses and organizations to prepare ahead of time in order to ensure compliance as biometric guidance develops through the evolution of privacy laws. Some necessary precautions include consulting with privacy experts, staying informed about the development of state biometric privacy laws, and sponsoring privacy-related issue workshops in the working environment.
Privacy protection practice has become the norm and essential elements to justify the sound business operation in terms of consumers’ reasonable expectation that their personal and idiosyncratic data will not be misappropriated. Biometrics were not as well-known but have taken a front seat during this pandemic. While the biometric field is still developing, businesses need to help push the envelope in implementing these technologies but also must be aware of the impact of privacy laws in order to stay in compliance.
[i] Vanessa Chang, J.D. and Privacy Law Certificate Candidate at Santa Clara University School of Law
[ii] Meredith Van Natta, The Rise and Regulation of Thermal Facial Recognition Technology During the COVID-19 Pandemic. 38 J. Law & Biosci. (2020).
[iii] Joel Griffin, The Role of Biometrics in a Post-COVID world. https://www.securityinfowatch.com/access-identity/biometrics/article/21143152/the-role-of-biometrics-in-a-post-covid19-world
[iv] Kristine Argentine, The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses. https://www.jdsupra.com/legalnews/the-growing-number-of-biometric-privacy-62648/
[v] Charles N. Insler, How to Tackle Litigation Under the Biometric Information Act. https://www.heplerbroom.com/cmss_files/attachmentlibrary/News/2018-11-27—ICIL_1218_Insler.pdf.
[vi] Steven Grimes, Biometric Privacy Litigation: Next Class Action Battleground, https://news.bloomberglaw.com/business-and-practice/biometric-privacy-litigation-the-next-class-action-battleground/
[vii] Fiona Q. Nguyen, The Standard for Biometric Data Protection. 7 J. Law & Cyber Warfare. 61 (2018).
[viii] Kristine Argentine, The Growing Number of Biometric Privacy Laws and the Post-COVID Consumer Class Action Risks for Businesses. https://www.jdsupra.com/legalnews/the-growing-number-of-biometric-privacy-62648/
To join the IPLC, submit an application here. Business Law Section members may apply at no additional cost. For more information, contact IPLC leadership.