The COVID-19 pandemic completely changed the way businesses are run today. Most businesses with physical stores were faced with the following challenge: how do we limit contagion while remaining open for business? New forms of contactless biometric technology have stepped in to save the day; however, they do not come without risks.
By biometric technology I mean the use of distinct biological or physiological characteristics of a person for identification purposes. This includes eye, face, fingerprint, hand geometry, and voice recognition. The latest form of biometric technology is thermal facial recognition (also called thermal imaging). Thermal facial recognition is a touch-free identification system that detects an individual’s temperature by screening and capturing different levels of infrared light. This new biometric technology, which also includes a facial recognition feature, supports COVID-19 safety procedures by helping identify individuals who may pose a risk of contagion.
The global pandemic has both increased the demand for contactless biometric technologies and pushed for innovation in this industry. For example, in early 2021 the Department of Homeland Security tested new facial recognition technology that can potentially identify individuals wearing face masks.
This increase in demand and innovation of biometric technology has amplified the inherent data privacy concerns in the technology. As businesses implement biometric technology systems, where do they store personal biometric data? What do they use the data for and whom do they share it with? While 8 states have biometric privacy laws that address these issues, there is no comprehensive federal law regulating the use, collection, and protection of biometric data. The global pandemic made the need for a national biometric law evident. Opponents argue that a federal law would harm technological innovation by making it impossible for businesses to comply with rules and meet litigation costs. However, a biometric law that safeguards unique consumer data is in the best interest of both businesses and consumers.
The Main Shortcoming of Biometric Technology
Biometric technology poses a threat to data privacy. Data breach issues are prevalent in American businesses. Big companies like JP Morgan, Sony, Target, and T-Mobile have been hacked in the past. In 2016, Yahoo disclosed that its users were victims of one of the biggest cybersecurity breaches ever: data from at least 1 billion user accounts had been stolen. Moreover, a report in 2020 revealed that 33% of companies expose unsafe network services to the internet. When passwords, credit card numbers, and other personal information are stolen, there is a way to replace them. On the other hand, when a biometric data characteristic is stolen there is no way to replace an individual’s unique biometric markers. Biometric data is extremely sensitive; thus, businesses that hold biometric data should be held to rigorous standards.
What Rigorous Standards Look Like
A federal biometric law with rigorous standards would be effective and not too onerous. The oldest and most successful biometrics regulation in the United States, Illinois’ Biometric Information Privacy Act (BIPA), demonstrates this. Some of the statute’s significant features include requiring business to (1) acquire informed consent from the consumer prior to collection of biometric data; (2) disclose the purpose and length of term for which biometric data is being used; (3) prohibit data disclosure to a third party unless the person consents; and (4) create effective data safeguarding regulations using the reasonable standard of care within the private entity’s industry. For negligent violations, an individual can recover $1,000 or actual damages, whichever is greater. For intentional or reckless violations, an individual can recover $5,000 or actual damages, whichever is greater.
BIPA created a litigation onslaught against some of America’s largest companies, including Google, Facebook, Shutterfly, and TikTok. For example, in a class-action suit against Facebook, Illinois residents argued that Facebook’s photo tagging system used facial recognition technology to analyze photos and that the site’s privacy settings did not amount to general consent required by BIPA. As a result, Facebook agreed to pay $650 million in a settlement. BIPA prompted Facebook to replace its tag suggestion technology with a facial recognition setting that is turned off by default to ensure the technology is not used without users’ consent. Thus, the requirements under BIPA work together to address data privacy concerns by giving companies a strong incentive to comply with biometric laws, promoting best practices to protect personal data, and educating the consumer on his or her data.
A National Biometric Privacy Law Does Not Deter Innovation
Opponents argue that a federal law would make it impossible for businesses to comply with rules and meet litigation costs; yet, BIPA’s 13-year history has proved that its standards are not unworkable. The standards are fair and achievable. In fact, it is in the best interest of businesses to have biometric data safeguards in place given that the cost of data breaches is extremely high. Moreover, as the court noted in Rosenbach v. Six Flags, a BIPA case that examined the private right of action, “whatever expenses a business might incur to meet the law’s requirement are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are nor properly safeguarded.”
Conclusion
The COVID-19 pandemic has proved that biometric technology is ever-growing. While biometric technology offers a solution to hygiene and security concerns, hackers are always trying to get around security systems to collect invaluable data. Without a federal comprehensive law, there is little that encourages businesses to implement proper security practices. A law that requires them to have robust written policies for collecting and safeguarding biometric information, provide written notice to their users, and collect informed consent for the intended use of biometric data is imperative.