While this technology may make unlocking our phones more convenient, we run into issues with biometrics when they are used without our consent and the policies regarding how they are used are not transparent. Biometrics are especially sticky because a person can’t readily change their biometrics—you can’t change your fingerprints the same way you can change a password or your social security number if they are leaked. This puts individuals whose biometrics are collected at higher risk of identity theft should their information be compromised. Even acknowledging this risk, because biometrics are a new and evolving technology, few laws exist that regulate their use.
Employers and retail establishments are increasingly seeing the benefit of incorporating biometrics into their workplaces and businesses—often using them as a quick and convenient way for employees to identify themselves or to track consumers’ purchases. But what are the privacy implications of these practices? What rights do workers have when their employers want to roll out the use of biometric identifiers? How do consumers know if their biometrics are being used? The answer, it turns out, is dependent on where you are located.
Current biometric privacy laws are patchwork at best. No single, comprehensive federal law governs how biometrics can be used. While regulation at the federal level is lacking, there has been far more progress in regulating the use of biometric identifiers at the state and local level. While a growing number of states have passed data privacy laws that include protecting biometric data, many of them exclude personal data collected in the context of employment, including Colorado, Connecticut, Utah, and Virginia. However, some states go further in protecting workers’ biometric data. Let’s explore how a few states have made notable efforts towards regulating biometrics in a way that ensures privacy for workers.
Illinois
Illinois has one of the strongest biometric privacy statutes in the country: the Biometric Information Privacy Act (BIPA). BIPA, passed in 2008, is one of the most comprehensive laws regulating the collection, use, and storage of biometric identifiers. BIPA defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” This law requires any private entity (including employers) that collects biometric identifiers to receive a written release from individuals, as well as inform them in writing of how their biometric data will be collected, used, and stored, and for how long. BIPA gives employees a private right of action should their biometric identifiers be used without notice and consent.
Washington
Passed in 2017, Washington State’s law regarding biometric privacy is similar to BIPA but not as far reaching. Mirroring BIPA, it defines a biometric identifier as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that [are] used to identify a specific individual.” It also requires informing individuals of how their biometric identifiers will be used, stored, and retained, as well as requiring consent to use individuals’ biometric identifiers. Unlike BIPA, enforcement for violations is left to its state attorneys general office; individuals may not bring a private lawsuit to enforce their privacy rights. Also, the Washington state law does not specify that notice be written. This law applies to “commercial purposes” and includes all entities except: some financial institutions, government agencies, law enforcement activities, and activities subject to HIPAA regulations.
Texas
In 2009, a year after BIPA was passed, Texas passed the Capture of Use of Biometric Identifiers Act (CUBI). Like BIPA, CUBI defines a biometric identifier as “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” This law requires that individuals be informed, and consent be obtained, before gathering biometric identifiers from an individual. This law, in a departure from BIPA and the Washington State law, specifically states that employers that use biometric identifiers for security purposes destroy those records upon termination “of the employment relationship.” Like the Washington law, individuals are not empowered to bring suit, leaving enforcement solely to its state attorneys general.
California
California enacted its California Consumer Privacy Act in 2018, which was expanded by a ballot-initiated law, California Privacy Rights Act of 2020. These laws work together to regulate how businesses use and share consumer and employee information. The law covers a broad category of personal information, such as race, national origin, gender, and age, and includes biometric information such as fingerprints, faceprints, and iris or retina scans, and even voice recordings. Employers must provide notice of the information it is collecting and its intended use for the information. Beginning this year (2023), employers will also be required to implement privacy policies that address the collection, use, and disclosure of employee’s personal information; and employees will have the right to opt out of sharing personal information covered by the law. California’s law allows for a private right of action for data breaches and creates an independent agency to promulgate regulations and enforce the privacy framework.
New York
New York has a state law specifically regulating the use of fingerprinting employees. It prohibits employers from requiring employees submit a fingerprint “as a condition of securing employment or of continuing employment.” This law has some exceptions for employees of government agencies and publicly-funded hospitals.
In New York City, its City Council recently passed two local ordinances that affect how biometrics are collected in commercial establishments. Unfortunately, this law is far more limited than BIPA and does not offer the strongest privacy protections for employees. It only requires commercial establishments that use biometric identifier information (including but not limited to: a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face geometry, or any other identifying characteristic) to post a written notice at customer entrances of how costumers’ biometrics are being used and stored. This law carves out exceptions for employees and government agencies—meaning employers can still use employee biometrics with little regulation. It still offers some protections to consumers, but they are limited. It does not require consent be obtained before using an individual’s biometric identifiers. It does make it illegal “to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information” which is a step in the right direction.
Consumer and worker privacy relating to biometric identifiers is incredibly important. As biometric technology is quickly being adopted in many different areas of our lives, states are slowly making progress towards regulating its use. Differences between state-level regulations can be confusing for consumers and workers. With more state laws concerning biometric identifiers and their use in the pipeline, the landscape of regulations will likely only grow more confusing—a comprehensive federal law regulating biometrics would solve this. In the meantime, it’s wise for consumers and workers to look into how their specific localities regulate the use of biometric identifiers and what recourse they have should their biometrics be misused. Sadly, until a federal protection is enacted, protecting biometric data will be piecemeal and dependent on where employees or consumers live and work.