The basics, usage, and privacy concerns of biometric data

Unlike many countries, there is no comprehensive data privacy law that includes biometric data and covers the entire United States. Instead, data privacy regulation is sector specific left to state and local governments. The latter is somewhat intentional but also a reflection of the gridlock that has gripped Congress for the past decade.

In the absence of federal action, more and more state governments are enacting privacy laws. Most states already have laws aimed at data breaches and five now have comprehensive data privacy laws modeled somewhat on the EU’s General Data Privacy Regulation. A growing area of concern amongst regulators is how to protect biometric data.

Several states and local governments, led by Illinois, have enacted — or are in the process of enacting — specific laws to govern the collection and use of biometric data. In-house counsel should be aware of the issues surrounding biometric data, especially when it comes to privacy issues. This article discusses the basics of biometric privacy.

What is biometric data?

At the most basic level, biometric data is biological data or characteristics about the unique behavioral and physical characteristics of individual persons — the “stuff” that makes us both human and our own person. There are many different types of biometric data, including:

• Fingerprints
• DNA (blood, skin, bone, saliva, urine, etc.)
• Retinal pattern
• Iris pattern
• Facial images and recognition
• Voice matching
• Body part shapes (for example, the shape of your ear)

Less obvious biometric data involves behavioral characteristics, or the unique way individuals behave and act. These include the gait of how we walk, how we enter information on a keyboard, the pressure we use when signing our name, and other patterns that can be unique to a specific individual. All of this information can be gathered and stored in databases — sometimes with our knowledge, sometimes without.

How is biometric data used?

For our purposes, biometric data concerns technology that uses such data to either authenticate a person or identify an individual. As workers and consumers, we have all seen or experienced biometric technology in action. Fingerprints or “selfies” have replaced passwords to open our smartphones and other devices. In corporate settings, retinal scans, thumbprints, and face scans are used to gain access to restricted materials, areas, or even the office itself. For many workers, the use of their biometric data has replaced the old “punch in and out” timecard.

Recently, companies have used COVID-19 vaccination status for determining which employees may enter the offices, or even continue to have jobs. Law enforcement can use DNA to identify suspects in a crime or use a facial scan database to identify criminals based on surveillance camera footage of the scene of a crime. The same is true for border enforcement. The military can use facial scans to identify terrorists or other bad actors — usually from a distance using cameras on a drone.

Here is a simple example of biometric identification in action: Ms. Smith needs access to her safe-deposit box at Big Bank. She goes to the bank, but before she is given the key and taken to the room where the boxes are kept, she must show identification, give a password, and then place a thumbprint on a scanner just outside the room. The latter is biometric information and is obtained in real time. It is compared to the biometric information the individual provided when purchasing the safe-deposit box and which is stored in the bank’s client database. Once properly authenticated and identified, Ms. Smith gains access to her safe-deposit box.

What are biometric data and privacy concerns?

There are many benefits to using biometric information as a way to identify and authenticate individuals.  To start, every human has biometric data, so it is truly universal in scope. It is unique and it is permanent — unless the individual experiences an injury that destroys a physical aspect. Biometric data is generally easy to record, measure, and store and does not require the individual to remember anything or carry anything with them, such as a password or other identification.

It is also very difficult, if not impossible, to forge — unless you are starring in a Mission: Impossible movie. Then it’s another story.

While there are clear benefits to using biometric data for identification and authentication, there are, of course, concerns. As it becomes more common, companies and the government are building huge databases to store biometric data of their customers, employees, and citizens. These databases can be hacked or used for purposes that differ from the basis on which it was collected.

Moreover, with only a handful of states enacting biometric privacy laws, there is still a Wild West component at play. How is the data being gathered and used? What are the limits? Can it be sold? Because of the nature of biometrics, it is literally the most “personal” personal data available and it is not at all clear that the laws have kept pace with the rapid development in this area.

If stolen or copied, biometric data can provide access to that person’s most sensitive secrets, data, bank accounts, and so forth. For example, a photo of the owner can be used to unlock a smartphone set to open with a facial scan. Governments can track the movements of individuals by using facial recognition and publicly placed cameras. The problem of “deep fakes” using artificial intelligence and biometric data together is real and concerning — you can now place an innocent individual at a crime scene. On the other hand, such data is not perfect and mistakes can be made, like if a photo is misidentified as Individual A, who is arrested for a crime they did not commit based on a facial recognition “match.”

Examining biometric data usage: Action items for in-house counsel

In-house lawyers sit in a unique position at the company; they typically see everything the company is doing — for good or bad. They should use this vantage point to investigate if and how their company is using biometric data. This starts by posing some basic questions about data to the various business units and staff groups.

Depending on what in-house counsel find in their firms, they should consider the following:

• Does the company’s public-facing privacy policy honestly and properly reflect the use of biometric data?
• Does the company have a biometric data policy, setting forth the types of biometric data the company collects and how it may be used?
• Is biometric data secure using the latest in data security protection? If a vendor is used, has the company properly vetted the vendor?
• Has the company given the proper notices to consumers or employees about the collection and use of biometric data?
• Has the company garnered the appropriate permissions to collect and use biometric data?
• Does the legal department understand biometric data laws that apply to how the company collects and uses biometric data?
• Does the company have a process to vet new ideas and projects that involve the collection and use of personal data, including biometrics? 
• Does the company’s cyber-risk insurance cover biometric data claims?

There is great promise in the use of biometric data — but there are also pitfalls. The collection and use of such data must be thought through and implemented subject to a well-defined plan; anything less is asking for trouble. In-house lawyers with access to Practical Law have a full set of tools, policies, summaries, and checklists available to make understanding and dealing with issues involving data privacy and biometric data easier, faster, and more comprehensive. A second article will discuss the scope of biometric privacy laws in the U.S.