Biometric Information

Inevitable regulations surround the next big advance in identification technology
John Nolan
June 14, 2018
COLUMN : Legal

It is safe to say that recent events and media coverage of digital security issues, including the unauthorized use of personal information through social media and large data breaches, have been a focus of concern. Consider the publicity surrounding Mark Zuckerberg’s Capitol Hill testimony regarding Facebook use and data security in early April. This hype tapped into the public’s worries about how these recent manifestations of the vulnerability of our digital information may be the tip of a very large, ominous and looming iceberg. 

Add to these current concerns the continued development of the scope and ability of biometric technology—it is as if what was once science fiction is now fact, and it is a little unnerving. For those unfamiliar, biometric information is personal information derived from attributes that form a part of what makes us individuals, i.e. one’s physical, anatomical, vocal and even chemical characteristics. This information is used for authentication of personal identity for security purposes and limiting access either to a physical and/or digital/electronic location. 

The technology of biometrics has been advancing in leaps and bounds. It can record the geometry of individual facial structures and features (facial recognition), fingerprint identification, voice patterns, retinal structures and, probably not too far in the future, even ubiquitous DNA scanning. With all the privacy concerns that come with these identifiers, it’s not likely that governments will sit on their hands. Some states have already enacted protections for the recording and use of biometric information which are harbingers for further regulation. And regulation of technology that is used every day is regulation that will affect us as well. 

While the developing tech will likely outpace the developing law, stakeholders in all aspects of the construction industry should be aware of the trend in this technology and become familiar with its likely regulation in order to understand both its potential benefits and adverse impacts.

Why biometrics?

The security industry has been developing biometrics as an alternative to proximity cards and password protection to heighten the levels of authentication required for access. The promise of biometric information is that, in comparison to current card readers and password-protected sites, it is difficult to duplicate. Biometrics are only usable by the individual and therefore provide a strong level of authentication. It is also convenient to the user and cost effective compared to password authentication. Further, different biometric-based technologies can be easily combined to provide two-factor authentication. 

The construction industry has begun to use biometrics for site accessibility and laborer time computation. Facial recognition security has been used by contractors in the U.K. for several years. In the U.S., the construction industry has been using non-biometric electronic authentication for years. The trend appears to be for greater use of biometric authentication. The concern with greater reliance upon this type of data is how it will be protected and who will be primarily responsible to do so.

Current regulation

There is currently no comprehensive federal law or regulation which specifically protects biometric information. The European Union has developed specific protections in its General Data Protection Regulations. In the U.S. however, current regulation is limited to a few states. 

The Biometric Information Protection Act is an Illinois statute that protects individuals from the use of their biometric information by private entities and allows private lawsuits to enforce the Act. Illinois has seen an increase in litigation. Between 2016 and the end of 2017, well over 20 class action suits have been brought in Illinois against a variety of companies seeking damages and attorney’s fees for alleged violation of the BIPA. 

In fact, while Facebook’s Zuckerberg was offering senate testimony, his company was defending a class action suit in federal court in San Francisco claiming that one of Facebook’s “tag suggestions” functions violates Illinois’ BIPA by prompting users to identify friends in uploaded photos. Similarly, Shutterfly has been sued under Illinois’ BIPA for its unauthorized application of facial recognition software in photos uploaded through its app.

Currently, only two other states, Texas and Washington, specifically regulate biometric information, although they each define the type of information regulated as “biometric information” in slightly different ways. In Texas, its law is enforced by its attorney general. Like Illinois, Washington allows damages suits for enforcement, however Washington does not provide for a winning plaintiff’s attorney’s fees to be awarded. 

While not specifically addressing biometric information protection, other states’ current laws—for instance, those requiring notification of data breaches—may encompass biometric information as part of broader protections for personal information. Those states include Delaware, Iowa, Maryland, Nebraska, New Mexico, North Carolina, Wisconsin and Wyoming. States such as New York and California recently failed to pass bills which endeavor to require mandatory notification for data breaches related to biometric information.

Based upon laws currently in effect at home and abroad, the common underlying legal requirements for the use of biometric information endeavor to protect individuals by requiring the following: 

  • Prior notice to individuals of the collection of their biometric information 
  • Requirements that the data be protected
  • Prohibitions against using the information for any reason other than security (i.e. the information cannot be commercialized)
  • Opportunity for individuals to demand destruction of the information (sometimes referred to as “the right to be forgotten”) 
  • Timely notification of the breach of protection for such information 
  • Written (perhaps public) policies for compliance

Stakeholders may consider evaluating current data protection practices/policies in terms of the potential use and storage of biometric information, and how such practices may change. They may evaluate the scope of their businesses to determine current and potential uses of biometric information, including whether, in the course of their duties, employees may be confronted with the use of such security measures by other companies. Employers may consider how to address notice and consent requirements for employees, outside consultants and vendors who may be subject to biometric information security. 

It is inevitable that, as technology progresses, securing data will become more complicated. This is true not only as a pragmatic measure, but also to comply with the inevitable increase and change in regulation these advancements will bring. Companies should become aware of the nature and scope of how regulation affects their businesses with this evolving technology. 

John Nolan is an attorney with The Gary Law Group, a law firm based in Portland, Oregon, that focuses on legal issues facing manufacturers of windows and doors. Contact him at 217/526-4063 or John@prgarylaw.com.