Biometrics Regulations: Navigating US Biometric Laws

The United States is in need of comprehensive federal data privacy legislation, which may finally be gaining traction. In late 2019, two competing federal privacy proposals were drafted. Senate Bill 2968 (the “Consumer Online Privacy Rights Act”), was introduced by Senator Maria Cantwell (D-WA), among others.  And the “United States Consume Data Privacy Act of 2019” was proposed by Senator Robert Wicker (R-Mississippi), among others.  By September of 2020, Cantwell and Wicker appeared to be in agreement on most aspects of the bill, but disagreed on whether the bill should include a private right of action (Cantwell in favor, Wicker against) or if the bill should preempt any state law, regulation, or rule (Cantwell against, Wicker in favor), but little has occurred since. Despite there being little movement on the proposals, there are rumblings that the federal privacy law may become the topic of debate again, and lead to the introduction of the U.S.’s first comprehensive data privacy legislation.

Until then, however, the current regulatory landscape in the U.S. with respect to biometric data continues to evolve. And in the absence of a federal privacy law, the most important federal mechanism currently in place to regulate biometric data remains Section 5 of the FTC Act.

Biometric Privacy Regulations in the U.S.

Under Section 5, the FTC has recently begun to take action regarding facial recognition technology. In January, the FTC announced a settlement with Everalbum Inc. regarding its Ever app, a photo and video storage program, over alleged deception of consumers. The FTC alleged that Everalbum suggested to users that a facial recognition tagging feature of the app would not be applied unless users opted in, but Everalbum nevertheless activated the feature by default without offering an opt-out. Everalbum then allegedly used the facial images to train its own facial recognition technology. In a tweet announcing the settlement, FTC Commissioner Rohit Chopra declared that facial recognition technology is “discriminatory and dangerous,” expressing the FTC’s growing concern about the processing of certain biometric data.

In the absence of overarching federal regulations, several states, including Illinois, Texas, and Washington, have passed their own biometric privacy laws. Companies that operate in these states are required to obtain opt-in consent for the collection of biometric data. These laws also limit the onward disclosure of collected biometric data for a commercial purpose unless certain conditions are met. In an effort to avoid suit or regulatory scrutiny in these states, some companies have deactivated their biometric products altogether in certain markets.

Of the three state laws, Illinois’s Biometric Information Privacy Act (“BIPA”) has garnered the most attention because it contains a private right of action. Violations of the law can expose companies to liability even without a showing of direct harm. Facebook, for example, was ordered to pay $650 million in March for running afoul of BIPA by allegedly using facial recognition to “tag” user photos without obtaining users’ consent. A number of lawsuits have also accused Microsoft, Google and Amazon of BIPA violations last year after Illinois residents’ faces were used to train facial recognition systems without their explicit consent.

Although not exclusively a biometric privacy regulation, the California Consumer Privacy Act (“CCPA”) explicitly governs the processing of biometric data, and binds businesses to a range of requirements related to that information, including: expansive disclosure obligations, compliance with data subject rights, and information security mandates. Additionally, the definition of biometric data includes elements that would rarely be considered biometric data under other biometric privacy laws, such as keystroke patterns or rhythms. As a result, many companies that do not fall under the scope of BIPA may nonetheless be covered by CCPA for processing such data points.

Although the CCPA offers a private right of action only for data breaches, plaintiffs have already filed numerous class actions for purported CCPA violations unrelated to information security, using CCPA as a predicate for causes of action under California’s Unfair Competition Law. Some of these suits have implicated biometric technologies. For example, in 2020 consumers sued Clearview AI under this theory for allegedly using facial recognition technology to generate a database of millions of faceprints and then selling access to its database to law enforcement agencies and private companies.

Biometric data receives even greater focus under the California Privacy Rights Act (“CPRA”). Similar to the GDPR, the CPRA added a category of sensitive personal information that specifically includes biometric data. Under the new law, a business may collect or process sensitive personal information only (1) for the purpose of “inferring characteristics” about a consumer in order to provide goods or services requested by the consumer; (2) for limited purposes enumerated under the CPRA; or (3) as authorized by future implementing regulations. If a business wants to use biometric information for any other purpose, it must offer consumers an opt out mechanism.

Other states are also beginning to join the fray by regulating biometric data. For example, the New York state legislature proposed a biometric privacy law in January that largely mirrors Illinois’ BIPA, and includes a private right of action. Last month, Maryland proposed similar biometric privacy legislation that would expand the scope of the types of biometric data covered, but would not require businesses to obtain written consent prior to collection. Several other states, such as Massachusetts, Hawaii, Florida and Arizona are also considering biometric privacy laws.

Interestingly, the most stringent biometric privacy laws in the U.S. have emerged at the city level. In January 2021, New York City passed a biometric privacy ordinance that places certain obligations on commercial establishments.  The ordinance requires establishments to notify customers if they collect biometric data from its customers by placing a clear and conspicuous sign near all of the business’s entrances notifying them of the collection. The law also provides individuals a private right of action for violations of the ordinance.

Some city-level biometric privacy laws have focused more squarely on facial recognition software. For example, Portland, Oregon passed a ban on facial recognition technology in 2020 that applies both to government agencies and private businesses, citing the city’s inability to properly evaluate the technology’s potential discriminatory effects. Other cities, such as San Francisco, Boston and Oakland have passed similar legislation banning government agencies from using facial recognition software. These sorts of bans indicate the distance city governments are willing to go to regulate certain types of biometric data in the absence of any overarching biometric governance framework.

Navigating the Scattershot Global Biometric Regulatory Landscape

In the face of this complex web of biometric data regulation, companies may be tempted to throw their arms up in the air and concede defeat. We recommend a different approach. Companies should use this moment as an opportunity to establish their biometric technologies on firm footing and develop sustainable business practices. The current landscape reflects the growing pains of a new industry, and companies can keep pace by taking several steps:

  • Document all types of biometric data collected or otherwise processed and the sources of such data
  • Inventory and document all geographic locations in which the company either collects or processes biometric data
  • Determine the relevant governing bodies in these locations, and review the local requirements for the collection and processing of biometric data
  • Where biometric technologies are permitted but are subject to regulation:
    • determine whether individuals must be notified before their biometric information is collected
    • draft any necessary consents and other policies regarding the collection, use, and retention of biometric data
  • Review the company’s practices for privacy risk and continually test and modify biometric technology to increase accuracy and minimize risk of harm
  • Protect biometric data in the company’s possession with commercially reasonably standards of care
  • Consult legal counsel on an ongoing basis to keep apprised of updated regulations and new laws in this space