An increasing number of companies—in healthcare, education, finance, retail, technology, and manufacturing—are implementing biometric identifiers.
This trend is growing in popularity as some argue that biometrics can be considered more stable over time since passwords can be compromised and changed, resulting in security challenges for businesses, while biometrics cannot. As biometrics streamline the identification process, privacy concerns may arise. To address potential privacy risks, several states have passed or proposed biometric laws.
What Are Biometric Identifiers?
Biometrics can be defined as unique measurable behavioral or physiological characteristics that describe a person. Essentially biometrics work by using these unique characteristics to enhance personal authentication with easier, faster, and more secure processes. Common examples of biometrics are:
- Palm Vein
- Face Recognition
- Palm Print
- Hand Geometry
- Iris Recognition
- Typing Rhythm
Implementing biometric identifiers presents businesses with new opportunities. For example, biometrics can be used to:
- Improve student success in education by measuring and tracking student engagement.
- Save time in administrative processes by quickly identifying individuals with reduced human intervention.
- Help prevent unauthorized access to physical and digital environments.
States with Biometric Laws
Illinois, Texas, and Washington State are among the first states to pass laws to regulate biometric data. Other states such as Arizona, Florida, Massachusetts, and New York have proposals pending. These laws regulate the collection, use, storage, and retention of biometric data. In response, businesses’ biometric compliance policies tend to emphasize the following:
- Obtaining consent from individuals before collecting or disclosing personal biometric identifiers
- Storing biometric data securely
- Destroying biometric identifiers in a timely manner
- Outlining separate biometric data policies for employees and customers
It’s important to understand each state’s law and its requirements. For instance:
Definition: Some state biometric laws broadly define biometric identifiers as behavioral and physiological characteristics while others specify the type of biometrics as outlined in the common examples of biometrics listed above.
Enforcement: Many states give their attorney general the power to enforce these laws. However, differences exist. For instance, Illinois law allows individual or class action lawsuits. Violation of Illinois biometric law could result in fines between $1,000 and $5,000 per incident of noncompliance.
Biometric Law Compliance Conclusion:
As more companies incorporate biometrics into business operations, states will continue to pass laws to guide business practices. Companies should become cognizant of biometric law requirements and differences to ensure that policies and practices align with these legal obligations.
Octillo monitors developments regarding data privacy and security law, including biometric privacy requirements. Our team of experienced compliance advisory attorneys, who are also devoted technologists, are equipped with the skills and experience necessary to help businesses evaluate the legal risks posed by modern technologies. Octillo can help businesses develop comprehensive and scalable data privacy compliance programs, as well as defend businesses currently facing data privacy litigation.
*Attorney Advertising: Prior results do not guarantee a similar outcome.