There is a new debate over privacy, this time over biometric data like fingerprints and facial recognition technology. Lawmakers at both the state and federal level are considering new protections for biometric data as use of the biometric tech becomes more widespread.
The problem is, recent efforts to include biometric data in privacy laws may be too broad and vague.
Illinois passed a biometric data privacy law in 2008 (the Illinois Biometric Information Privacy Act), preventing businesses from profiting off biometric data, limiting business use of biometric data and requiring businesses to obtain consent from consumers before using their data. Texas followed suit in 2009 with the Texas Business and Commerce Code and Washington state in 2017 with an addendum to its Title 19 law. Both the Texas and Washington state laws contained similar protections for biometric data.
The New Hampshire legislature is debating H.B. 536, which “prohibits businesses from using, disclosing, or retaining biometric information about an individual.”
But Albert “Buzz” Scherr, chair of the International Criminal Law & Justice Program at the University of New Hampshire School of Law, said the bill isn’t specific enough to address the ways businesses may use biometric data.
For example, he said, appropriate use of biometric data really depends on the context in which it was gathered.
“Different kinds of biometric data are collected in very different ways,” Scherr told InsideSources. “Legislation that tries to lump it all into the category of biometric data is almost impossible to write. The way TSA collects facial recognition data is very different from the way 23andMe collects biometric data, which is even very different from how Google collects data.”
Law enforcement collecting biometric data to solve crimes, for example, is a widely-accepted practice, but even that can create complications.
“In New Hampshire we recently had a circumstance in a homicide case where the homicide occurred in somebody’s kitchen, and two people were killed, and the owner of the house had the Amazon Echo, so the police got a court order and sent it to Amazon saying, we want [that Echo’s] entire database as part of our investigation,” he explained.
Because entities can gather and share biometric data for legitimate reasons and uses, the issue really comes down to transparency.
“My general view is that [there should be] legislation telling companies what kind of notice they must give an individual,” he said.
Scherr said legislation should mandate 1) that companies give the consumer notice that they’re collecting biometric data, 2) should explain the ways in which they will use the biometric data, and 3) explain and list who they might give it to with or without a search warrant and who they might sell it to and whether they will anonymize it or not.
“That [would be] better than the legislation in New Hampshire which basically flows from, you can only use it in a way the customer would reasonably expect or want,” Scherr said. “That’s a really vague and messy circumstance and really hard to pin down. You’re going to have company after company coming in saying ‘well you should know we were going to use it for this purpose.'”
At a recent hearing before the Senate Committee on Commerce, Science and Transportation, privacy experts brought up similar points about biometric data protection. The California Consumer Privacy Act, for example, lumps together biometric data with other forms of data and doesn’t distinguish between the two.
“We believe all data deserves strong protection,” said Jim Steyer, founder and CEO of Common Sense Media, referring to the CCPA’s treatment (or lack thereof) of biometric data.
But Jules Polonetsky, CEO of the Future of Privacy Forum, told senators that biometric data needs stronger protections than other types of data covered by a federal privacy law.
“[It] should be subject to a stronger consent standard,” he said, echoing Scherr’s comments. “What we try to do is differentiate between facial recognition and facial detection, like how many heads are in a space, male or female. We certainly see potential for discrimination with facial detection, but you don’t have a unique identifier, so that might [require] a notice or an opt-out. If I [as a company] am going to identify you by your name, the default should be, I need your permission.”
Until Wednesday, federal privacy hearings didn’t touch on biometric data protection, partly because biometric data concerns aren’t as visible in the public eye as social media companies’ misuse of user data.
This could be problematic going forward if federal lawmakers don’t meaningfully address biometric data in a federal privacy law draft.
“There tend to be two different privacy worlds in terms of 21st-century technology,” Scherr said. “The digital world and the biometric information world, digital privacy and genetic privacy, and they tend to be two different worlds in terms of legislation. The digital privacy world is a much more developed world since it’s been around a bit longer than the generic and biometric data world, which includes stuff like facial recognition and DNA, 23andMe. That’s a lot newer in the public discourse. I think it tends to be the case you get legislation in the more developed areas than the areas that are newer to the public and scholarly discourse.”