The amount of data collected worldwide is rapidly proliferating, and one international organization wants to make sure it’s clear how to protect what is arguably the most sensitive category of that data: biometrics.
The Biometrics Institute, which has branches in London and Sydney, released new revisions to its Biometrics Privacy Guidelines to its members on February 2, providing recommendations on smart and respectful collection of data, including retina and iris scans, fingerprints, voice prints, and face geometry. With principles targeting informed consent, purpose, proportionality, and respect for client privacy, the Guidelines offer best practices to organizations looking to safeguard customer information while staying on the right side of regulators. Few laws have been enacted in the United States specifically addressing biometric data, with Texas and Illinois being the outliers; but with increasing numbers of data breaches and consumer privacy actions regularly being brought under generic unfair and deceptive practices laws, principles such as these can help businesses be prepared in advance.
The Biometrics Institute aims to encourage the responsible use and development of biometrics and privacy protection. Other areas highlighted in the guidelines include protection of biometric data collected, accountability, sharing of biometric data, transmission of biometric data beyond national boundaries, and the protection of employee biometric data.
Recent high-profile data breaches, in both the private sector and the government, have compromised vast amounts of personally identifiable information, including Social Security numbers, addresses, and payment card information. But the U.S. Office of Personnel Management breach included millions of federal employee fingerprints as well, sparking fears of even more insidious identity theft tied to personal characteristics that cannot be changed.
The Illinois and Texas biometric information laws, as well as the Biometrics Institute Guidelines, intend to give individuals more power, especially in commercial settings, to know when and why their sensitive data is being collected, and to be able to refuse. In all settings, including employment, they require the protection of the data using a reasonable standard of care for confidential information, and prohibit its disclosure without the individual’s consent unless it is to complete a financial transaction or is mandated by law. In the case of the Illinois law, the biometric data must be permanently destroyed when the initial purpose for collecting it is satisfied, or within three years of the individual’s last interaction with the collector – whichever occurs first.
Two companies, Facebook and Shutterfly, have recently found themselves tangling with proposed class actions under the Illinois law, with different results. Facebook was able to have the case about its auto-tag suggestions successfully dismissed for lack of jurisdiction, since the judge held that Facebook’s biometric recognition did not specifically target Illinois residents. But Shutterfly’s fate, in a suit likewise about the company’s practice of extracting face geometry from uploaded pictures without consent, remains in limbo. An Illinois federal district court denied Shutterfly’s motion to dismiss on December 29.
Businesses with a need to collect biometric data must proceed with caution and keep in mind that transparency and smart data-retention practices are not required solely for companies doing business in Illinois and Texas. The suits in Illinois illustrate that it is not even guaranteed that collecting data from pictures rather than from the individuals themselves means that the requirements of notice and consent are relaxed. As with collection of any sensitive personal information, biometric data collection must proceed only with a clear plan, and the Guidelines from the Biometrics Institute are a good starting point.