Biometrics: A Developing Regulatory Landscape for a New Era of Technology
James Bond and Ethan Hunt have been using facial recognition, fingerprint scanning, and optical readers for years on the silver screen. In the real world, the use of technology that identifies unique physical characteristics of individuals (“biometrics”) is rapidly becoming more prevalent. In fact, the Department of Homeland Security uses facial scanning to identify potential terrorists, federal agencies have adopted fingerprint technology to confirm the identity and immigration status of aliens, and private entities have begun implementing palm and retina scanners and other identifiers to complete financial transactions or control access to secure information. Even the new iPhone 5 contains “Touch ID” technology, where a sensor quickly reads the user’s fingerprint and automatically unlocks the phone for the correct fingerprint.
There are two general types of biometric data: physiological and behavioral. Physiological data includes facial structure, retinal color and design, fingerprint readings, heat signatures, and DNA readings. Behavioral data includes handwriting samples and signatures, voice recognition, and keyboard stroke and typing habits. Physiological and behavioral data are generally used for either authentication (e.g., accessing a computer with a retinal scan) or identification (e.g., determining who used the computer by analyzing keystrokes). Although these technologies advance security and create new efficiencies, they also raise privacy concerns. Some biometric collection methods can be invasive or inaccurate, leading to false identification of an individual that could have serious repercussions, such as the misidentification of a citizen as an illegal alien. They may also result in multiple entities storing massive amounts of sensitive personal information.
As with other technology, biometrics is moving faster than the pens of most law makers. While federal and state search and seizure law (as well as several specific state laws, discussed below) governs any collection and use of biometric data by a governmental entity, no current federal law limits a private entity’s ability to collect, use, or disclose biometric data. Instead, the regulation of the private use of biometric data has largely been left to the states.
Although biometrics is still in its infancy from a regulatory perspective, several states have enacted statutes directly addressing the topic. Both Illinois (the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq.) and Texas (Bus. & Com. Code Ann. § 503.001) regulate a private entity’s use, disclosure, and eventual destruction of biometric data. Illinois obligates private entities that collect biometric data to develop written policies describing their biometric data collection methods. Both Illinois and Texas restrict the sale or lease of, or profit from, biometric data except in limited circumstances. The cost of noncompliance can be high. Under the Illinois law, violators may be subject to a private suit filed by an individual whose biometric data has been compromised. Damages for each violation are the greater of liquidated damages ($1,000 for a negligent violation or $5,000 for an intentional or reckless violation) or actual damages, and injunctive relief and attorneys’ fees and costs are also available. Texas subjects violators to a civil penalty (which may be enforced by the Texas Attorney General) of up to $25,000 for each violation. In addition to the comprehensive Illinois and Texas laws, several states (Iowa, Nebraska, North Carolina and Wisconsin) include various types of biometric data in their definition of “personal information” for purposes of data security breach notification laws, which require notice to data owners in the event of a data breach involving such information. Finally, New York prohibits private employers from fingerprinting their employees as a condition of securing or maintaining employment except in limited circumstances.
Several states have enacted laws governing the collection, use or disposal of biometric information by state entities, but the substance of these laws varies widely from state to state. Washington and Oregon have authorized their respective drivers’ licensing departments to use facial recognition technology to prevent individuals from obtaining multiple or fraudulent licenses. Only the Washington law restricts the licensing department’s ability to share or disclose the biometric data it collects. Maine, Missouri and New Hampshire, on the other hand, expressly prohibit the use or collection of biometric data in connection with drivers’ licenses. Arizona, Illinois and Louisiana prohibit schools from collecting biometric data from students before first obtaining parental consent and place restrictions on the use, storage, and destruction of such information. Texas broadly prohibits the governmental bodies from selling, leasing, or disclosing an individual’s of biometric data without first obtaining that individual’s consent, except in connection with disclosures required by law or in connection with law enforcement.
Even if a specific state law does not apply, private entities that collect biometric data from their employees may face class action claims based upon federal or state laws prohibiting discrimination. For example, in 2013 the Equal Employment Opportunity Commission sued an employer in West Virginia alleging religious discrimination in violation of Title VII of the Civil Rights Act of 1964 in connection with the use of biometric technology for tracking employee time and attendance. An evangelical Christian employee believed that submitting to a workplace hand scanner had a connection to the “Mark of the Beast” as referenced in the Bible’s Book of Revelation. The employee asked the company to accommodate his religious beliefs by allowing him to track his time by reporting to his supervisor or submitting manual time records, but the company refused, and the employee filed an EEOC charge that ultimately resulted in the lawsuit. As of the date of this article, the lawsuit is still in the discovery stage, with trial set for late 2014.
As biometric technology becomes more common in mobile devices and in the workplace, more states are likely to enact comprehensive biometric privacy laws like those in Illinois and Texas. While the biometrics landscape continues to develop on a state and federal level and many of the existing laws remain largely untested, private entities should carefully review their policies and procedures now to determine if they collect or use biometric information, and if so, engage a qualified attorney to determine what their rights, obligations, and potential liabilities are as to such practices.