Over the past year, a significant number of US states have passed new laws regulating the collection, use and monetisation of biometric identity. Known as Biometric Information Privacy Acts (BIPA) these acts set up a framework for companies to work in when they are collecting and using biometric data including facial and iris scans, fingerprints or voiceprints.
The most prominent BIPA was passed in 2008 in the state of Illinois and which has been a blueprint for more recent legislation on this issue. In 2022 new BIPAs were passed in California, Kentucky, Maine, Maryland, Massachusetts, Missouri and New York.
In 2021 Facebook reached a $650 million settlement in a class action based on the Illinois BIPA. and in 2022 Clearview AI entered into a consent decree as a result of a ACLU class action that has resulted in the company ceasing to sell its facial recognition software to civilian businesses in the US.
The Illinois BIPA defines Biometric Identifiers (BI) as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry and provides strict conditions concerning the collection and storage of BI by private entities (BI Processor) as follows:
- The BI Processor must have a written, publicly available policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information, either when the use requirement has been satisfied or within 3 years.
- No BI Processor may collect, capture, purchase, receive through trade, or otherwise obtain BI unless it informs the subject subject of the purpose of the collection and obtains written consent.
- No BI Processor may sell, lease, trade, or otherwise profit from a person’s or a BI.
- No private entity in possession of BI may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information without consent, court order or other lawful justification.
The Act provides liquidated damages of $1000 or actual damage per violation for negligent violation of the Act and $5000 or actual damage per violation for intentional or reckless violation of the Act.
With the sheer scale of BI utilised across social media today, it is clear that failure to adhere to the legislation could quickly result in massive sanctions against BI Processors.
The increased availability of BIPA laws across the US mean more significant risks for tech companies whose operations rarely have such strict geographic boundaries.
Further it adds to the complexity of privacy and data compliance, as businesses cope to deal with the application of a complex network of laws that regulate both personal information or data (PI) and biometric information (BI).
For consumer these laws can only be a welcome relief, providing more control over the widespread use of facial recognition and a strict set of requirements for disclosure. While the use of BI in technology can bring great efficiencies and new services to our lives, the misuse of this technology has the potential to significantly impact on the privacy of individuals.