Privacy issues in biometrics

download-29Commercial use of biometric data has dramatically increased in recent years: some software are now able to recognize physical characteristics, such as fingerprints, retinas, hand and facial geometry, as well as voices. This technology makes people’s life easier as their hand or voice may be enough to access their phone or bank account, and one single click may be enough to be tagged in hundreds of photos. However, you cannot change biometric data as you change passwords: it needs to be well protected. Companies have a long way to go to avoid to get in trouble.

Facebook, for example, has recently been sued (class action complaint). Plaintiffs alleged that Facebook – secretly and without consent – amassed users’ biometric data. Allegedly Facebook violated users’ privacy because Facebook’s Tag Suggestions feature – which scans uploaded photographs to identify faces – did not inform users that “their biometric identifiers (face geometry) were being generated, collected or stored”.

The action is pending. On May 5, 2016, a California District Court ruled that Illinois 2008 Biometric Information Privacy Act (BIPA) applies and that plaintiffs stated a valid claim under the Illinois Act (740 ILCS 14), which requires companies to inform individuals in writing about the purpose and length of time for which their biometric identifiers are being collected, retained or used. The BIPA also requires companies to obtain consent before “disclosing” the individual’s biometric information. The BIPA allows for the recovery — for each violation – of either $1,000 or actual damage (if violation was negligent) or $5,000 or actual damage (if violation was intentional or reckless).

Similarly, Shutterfly – which offers online digital photo sharing, as well as facial recognition capabilities – settled in March 2016 a class action suit alleging the company violated the BIPA by creating a system permitting photos to be stored and searched using facial recognition technology.

Respectively in March and May 2016, Google Photos service and Snapchat received putative class actions for allegedly collecting, storing and using- without informed consent and in violation of BIPA – “users’ biometric identifiers and biometric information”.

The tech companies are not the only ones using biometrics.  For example, a national tanning salon chain has been accused of violating the BIPA by collecting customers’ fingerprints without obtaining their informed written consent. The salon chain created $1.5 million Settlement Fund to repay customers submitting valid claims.

Interestingly, there are also cases dismissing biometric data privacy cases. For example, an Illinois District Court recently dismissed an action against Smarte Carte. The company operates electronic lockers in public locations that use the renter’s fingerprint as “key.” Plaintiff alleged that Smarte Carte retained his fingerprint biometric information without written consent in violation of the BIPA and sued for damages. He did not allege any harm from the violation. The Court dismissed the action noting that allegations of a mere violation of the act do not qualify: “how can there be an injury from the lack of advanced consent to retain the fingerprint data beyond the rental period if there is no allegation that the information was disclosed or at risk of disclosure?”

The outcome of these pending cases will better define the scope of the BIPA and clarify which liabilities and privacy obligations businesses have concerning biometric recognition systems.

There is currently no federal laws in the US regulating the collection of biometric information. Only Texas (Tex. Bus. & Com. Code Ann. § 503.001) and Illinois (BIPA) implemented state laws to protect biometric information. In Texas, the penalty for each violations is higher than in Illinois – $25,000. However, under the Texas statute only the attorney general can bring enforcement actions.

Other statutes regulating biometrics are the Gramm-Leach Bliley Act (GLBA) – applicable in the finance industry -, the Family Educational Rights and Privacy Act (34 CFR Part 99 FERPA) – applicable to educational institutions-, and the Health Insurance Portability and Accountability Act (HIPAA) for health-care providers.

The FTC contributed to the development of biometrics rules as well by issuing in 2012 recommended best practices for companies using facial recognition technology.

Several jurisdictions have enacted data breach notification laws which encompass unauthorized access to residents’ biometric information, and breach response. Among the jurisdictions specifically referring to biometrics are Connecticut, Iowa, Illinois, Nebraska and Wyoming. North Carolina and Oregon consider the breach of biometric data as violation of personal information when in combination with the individual’s name.

Overall, considering the recent case law, the statutes, as well as possible legislative developments, businesses should carefully consider the privacy implications of biometric recognition systems. For example, they should  consider applying the concepts of transparency and consent to the processing of biometric data, special measures of protection and should carefully craft a retention policy for such information.

More information is available at http://www.technethics.com…

In re Facebook Biometric Info. Privacy Litig., 2016 U.S. Dist. LEXIS 60046 * (N.D. Cal. May 5, 2016), is available at http://www.leagle.com…                       Open PDF

Norberg v. Shutterfly, Inc., 1:15-cv-05351 (N.D. Ill. June 17, 2015) is available at http://digitalcommons…    Open PDF

Rivera v. Google, Inc., No. 16-02714 (N.D. Ill. filed Mar. 1, 2016) can be downloaded at https://www.scribd.com…

Martinez v. Snapchat, Inc., No. BC621391 (Cal. Super. Ct. filed May 23, 2016) can be downloaded at https://www.scribd.com…

Collough v. Smarte Carte, Inc., 2016 U.S. Dist. LEXIS 100404 * (N.D. Ill. Aug. 1, 2016) can be downloaded (with subscription) at https://advance.lexis.com…

More information on Sekura v. L.A. Tan Enterprises, Inc. is available at http://www.fingerprintsettlement.com…

FTC, Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies is available at https://www.ftc.gov…

Tex. Bus. & Com. Code Ann. § 503.001 is available here

Nebraska revised statute is available at http://nebraskalegislature.gov…

Connecticut Public Act No. 15-142 is available at https://www.cga.ct.gov…

Iowa Chapter 715C is available at https://coolice.legis.iowa.gov…

Illinois 815 ILCS 530/1 is available at http://www.ilga.gov…

Nebraska Revised Statute 87-802 is available at http://nebraskalegislature.gov…

Wyoming WY Stat § 6-3-901 is available at http://legisweb.state.wy.us…

North Carolina Identity Theft Protection Act is available at http://www.ncga.state.nc.us…

Oregon ORS 646.604 is available at http://www.oregonlaws.org…

 

 

 

For more information, Francesca Giannoni-Crystal.