Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired in part by the Illinois Biometric Information Privacy Act (BIPA), which has been the subject of significant litigation in recent years. Below we provide an overview of notable proposed legislation.
U.S. Federal Law
On March 14, 2019, Senators Brian Schatz (D-Hawaii) and Roy Blunt (R-Mo), introduced the Commercial Facial Recognition Privacy Act. The act focuses on providing notice and obtaining affirmative consent whenever facial recognition technology is used to collect or process facial recognition data for certain purposes.
- “Facial recognition data” is defined as “any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.”
- “Facial recognition technology” is defined as technology that “analyzes facial features in still or video images” and is used “to assign a unique, persistent identifier” or “for the unique personal identification of a specific individual.”
For a “covered entity” to obtain valid consent, the act specifies that individuals must be provided concise and understandable notice about the use of facial recognition technology, including (if applicable) where the individual may find more information about how the technology is being used as well as its capabilities and limitations. The notice must describe:
- The specific practices regarding the collection, storage and use of facial recognition data
- The “reasonably foreseeable” purposes for the use of facial recognition technology or for the collection and sharing of information derived from facial recognition technology
- Applicable data retention and de-identification practices
- The process for reviewing, correcting or deleting information derived from facial recognition technology (if applicable)
In addition, the act includes a number of other “EU-style” restrictions and requirements. For example:
- It prohibits using facial recognition data for purposes other than those described in the notice provided at the time consent is obtained.
- It prohibits sharing facial recognition data with unaffiliated third parties without obtaining separate affirmative consent to such sharing.
- It requires “meaningful human review” of output from facial recognition technology before making any final decision that may “result in material physical or financial harm” or “be unexpected or highly offensive” to the individual.
- If the facial recognition technology is made available as an online service, the act requires that covered entities include an application programming interface (API) that allows for independent third-party testing of the facial recognition technology for accuracy and bias.
- It distinguishes between “processors” and “controllers” of facial recognition data (using definitions drawn from the EU’s General Data Protection Regulation), requiring that processors provide controllers with the information necessary to give appropriate notice to the potentially affected individuals.
- It prohibits (1) conditioning provision of a service that does not require the use of facial recognition technology on the individual consenting to such use or otherwise waiving their privacy rights, and (2) terminating or refusing service if the individual refuses to consent.
Violations of the act may be enforced either by the Federal Trade Commission or through a civil action brought by any state attorney general or other authorized state official. The act has no private right of action.
In February, two identical bills, which are substantially similar to BIPA in many respects, were introduced in the Florida legislature (one in the House and one in the Senate). The Florida bills would require “private entities” in possession of “biometric identifiers or biometric information” to provide written notice to the individual (1) that a specific biometric identifier is being collected, (2) the purpose for the collection and (3) the duration of the collection. The private entity also must obtain “a written release executed by the subject of the biometric identifier or biometric information” or that person’s legally authorized representative, and maintain a publicly available written policy setting forth a retention schedule.
- The definition of “biometric identifier” is limited to a “retina or iris scan, fingerprint, voice print, or scan of hand or face geometry” and specifically excludes certain types of information such as photographs, tattoo descriptions and health information collected under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- “Biometric information” means “any information, regardless of the manner in which it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual” (subject to the same exclusions applicable to the definition of “biometric identifier”).
As with the existing biometric laws in Illinois, Texas and Washington, the Florida bills require that private entities take reasonable care to safeguard biometric identifiers from unauthorized access or acquisition. Unlike the Texas and Washington laws, but like BIPA and the New York City proposal described below, the Florida bills include the possibility of bringing a private cause of action against violating entities.
New York City
A proposal introduced late last year by New York City Council member Ritchie Torres (INT 1170-2018), would amend New York City’s administrative code to require any “commercial establishment” in New York City to disclose that it is collecting, retaining, converting, storing or sharing customers’ “biometric identifier information.” Such notice would have to be posted on a clear and conspicuous sign at the business’s entrance(s) and made available online.
- The posted sign must use plain, simple language. The specific form and manner of the notice will be described in rules to be issued by the commissioner.
The proposal defines “biometric identifier information” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, any of which is collected, retained, converted, stored or shared to identify an individual.” This is similar to the definition under BIPA, but more limited than the definitions in the newer Washington and California laws.
Also in line with BIPA, the proposed New York City law includes a private right of action; aggrieved individuals may recover $1,000 for negligent violations and $5,000 for intentional or reckless violations by covered commercial establishments. In addition, the New York City Department of Consumer Affairs may impose a $500 per day civil penalty for violations.
On March 28, 2019, the French data protection authority (the CNIL) published a model regulation governing the processing of employee biometric data pursuant to Article 9(4) of the EU’s General Data Protection Regulation, which allows individual EU Member States to establish national rules regarding the processing of biometric, genetic or health data. Biometric data falls within the GDPR’s “special categories” of personal data subject to heightened protections.
Specifically, the model regulation lists the types of employee biometric data that may be collected and processed for work-related purposes, and imposes technical and organizational safeguards, including specific data retention periods, that must be implemented to protect such data. Companies that wish to use employee biometric data must demonstrate to the CNIL why using biometrics is essential for a given purpose (as opposed to the use of a less invasive access control mechanism, such as an electronic key card or password). Compliance with the model regulation does not replace compliance with the rest of the GDPR – for example, employers still must conduct a data protection impact assessment regarding the proposed data processing activity and update the assessment at least every three years.
Given the constantly evolving technological and legal landscape in this area, companies that currently collect and use biometric identifiers should consider proactively amending their notice, consent, and retention mechanisms and policies to account for inevitable regulation that may restrict future uses of data that is obtained today. Businesses that are gearing up to deploy these technologies should carefully consider their design and implementation, and craft appropriate notice and consent processes to help prepare for future compliance.