Access to biometrics has given us the chance to automate recognition and verification processes in an extraordinarily individualized way. The U.S. government uses biometrics to enhance national security, and their Automated Biometric Identification System (IDENT) overseen by the Office of Biometric Identity Management processes about 300,000 transactions based on biological data per day.
But in stride with the capabilities of biometric scanning, citizens and consumers for whom biometrics-based technologies are put in place are becoming more concerned about their privacy. Because these data are so individualized, the danger inherent in their distribution is of genuine concern.
That’s why, in the United States, three states already have laws that regulate biometric privacy. In Illinois, the law even allows for a private right of action, so other entities than the state’s attorney general can bring a suit to court – and citizens are already exercising that right.
- The Illinois Biometric Information Privacy Act (BIPA) protects biological data in answer to the conclusion that, once compromised, there is no recourse for an individual to protect his or her biometric information as it inherently cannot be changed. It requires that users of biometric data (employers, governments) develop written policies and explain to those whose data will be used their rights and courses of action in the event of data compromise or privacy violation.
- The Texas Capture or Use of Biometric Identifier Act (CUBI) provides regulations only for the use of biological data for commercial purposes. Terms are loosely defined and litigation according to CUBI is open to interpretation.
- The Washington Law that governs biometric identifiers was enacted alongside Washington legislature concerns that American citizens are having to disclose biological information at an increasing rate. The law, however, only deals with enrollment in biometric identifier databases rather than the collection of biological information.
In such cases as Jackson v. A. Finkl & Sons Co., No. 2018-CH-07424 (Ill. Circuit Ct. June 13, 2018), plaintiffs have claimed negligence on the part of their employers for failing to protect and secure the biometric data of employees. Citizens may also claim invasion of privacy wherein the right to biometric data privacy takes precedence over the need of employers to collect and use that data.
Both companies and individuals are vulnerable to the risks of collecting, or allowing the collection of, personal and unchangeable biologically-based information. As litigation continues, so too will advances in biometric scanning technology.
Precedents Set in Facebook Biometrics Cases
Facebook faces defeat after defeat as it attempts to defend its biometric data use policies in its ongoing class-action suit. As the cornerstone BIPA case in litigation involving biological data, it is poised to outline the future of data collection technology for social media and has the potential to reach other entities, as well.
- In its decision in In re Facebook Biometric Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018), the lower court rejected the argument that litigants should be required to prove that they had sustained injury beyond Facebook’s violation of BIPA’s notice-and-consent provision.
- Plaintiffs in the Facebook class action argue that the company’s biometric scanning technology collects face geometry information and processes it as data on human facial regions to recognize faces. Though Facebook’s representation claimed that technology does not rely on human features to parse images and instead employs pixel pattern recognition, the court ruled that issues over the facial recognition technology would have to go to trial.
The court’s decisions suggest two things:
- Those whose biometric data is used without consent or in a circumstance in which the data is unprotected feel as if their privacy rights have been violated
- Courts, technology designers, and the businesses who use the technology will need to work together to create a seamless system for defining what biometric data is collected, how it is used, how it is protected, and how to disclose that information to those whose data is collected.
How Will Litigation in Biometric Scanning Shape Technology?
Ongoing Facebook litigation and common law claims lean toward resolutions that suggest continued improvements in consumer-side information protection. In accordance with rulings that recognize the sensitivity of biometric information, technology will likely need built-in termination protocols in the event of data breaches or, in the case of employers using employee fingerprints for security, actionable protection in the event of an employee-employer relationship termination.
Consumer-side scanning software (like that used to perform certain convenience functions on social media websites) will likely need to be built to avoid using biometric data directly; that is, it may have to simulate biometric data scanning by searching for digital interpretations of biological data (for example, reading arrangements of pixels that create the appearance of a recognizable nose).
Information protection will be the cornerstone for future technology, especially as forthcoming Facebook class action decisions emerge. But as more states become aware of the risks of biometric data collection and use, legislation will continue to expand to more states, and inevitable litigation in those states is poised to push how biometric scanning technology designers build their hardware and software for protection of consumers.