Many online platforms are using verification tools to address the broader concern of trustworthiness and credibility on the Internet. With a general move toward a “verified internet,” these online platforms are looking at new verification measures, including facial recognition and other biometric technology. The online adult video platform Pornhub announced last week that it will be introducing biometric technology to verify users who upload videos. In a statement, Pornhub explained that verification will be done by Yoti, a digital identity verification company, “by providing a current photo and government-approved identification document.”
Yoti advertises that it is a “privacy driven” verification solution. The company is a conduit between consumers and the platform owners, like Pornhub. Essentially, a consumer will provide Yoti with their biometric identifier, such as a video or voice recording, plus their government identification. Yoti will then verify that data for the platform owner, such as Pornhub. Pornhub will not see that information, but will rely on the verification to allow the consumer to access their site.
Biometric technology does not purport to bring a global solution for all. In the case of Pornhub however, use of biometric technology for verification purposes can help curb piracy and prevent the spread of nonconsensual pornography. Still, facial recognition and other biometric technology is not without controversy, especially with the existence of biometric regulation. A leading model, the Illinois Biometric Information Privacy Act (BIPA), regulates the collection, use, and sharing of “biometric information” and “biometric identifiers.” For example, BIPA imposes the following obligations: (i) written retention and destruction policy, (ii) informed written consent prior to collecting biometric information or biometric identifiers, (iii) prohibition against profiting from biometric information or biometric identifiers, (iv) nondisclosure unless consent is obtained or the disclosure is required for specific purposes, and (v) reasonable standards of care with respect to the security of the biometric information and biometric identifiers.
In California, the California Consumer Privacy Act includes biometric information as one of the categories of personal information protected by the law. This means that all of the rights provided to California consumers to protect their personal information apply to biometric information – including the right to access that information, delete it and opt-out of the sale of that information. Finally, if an organization does not implement a reasonable security program to protect that data and suffers a breach, it can be subject to a class action under the private right of action with statutory damages of between $100 and $750 per consumer per incident. In the case of biometric information, since it is more sensitive in nature, the threshold for “reasonable” security will be higher, so companies should implement strict security standards for the data and work with vendors who do the same.
Companies collecting biometric information from California residents must also consider the California Privacy Rights Act (CPRA), which is the next frontier for California privacy. The CPRA creates a new sub-category of personal information called “sensitive personal information” that includes data relating to the consumer’s biometric identification. Businesses collecting sensitive personal information will be required to notify the consumer at or before the time of collection of: (1) the category of information the business will collect; (2) the retention period; and (3) whether the information will be sold by the business. Businesses will also be required to provide a “Limit The Use of My Sensitive Personal Information” link to allow consumers to restrict use of their sensitive personal information. The CPRA will go into effect on January 1, 2023 but it includes a “look back” period that will require companies to substantially comply by January 1, 2022.
With these new regulations and associated risk, companies that are engaging in arrangements like the one between Yoti and Pornhub should carefully review their contracts to identify who is responsible for providing consumers notice and ensuring their rights. As important will be the review of the security obligations and requirements, data transfer obligations, as well as cyber insurance and liability caps to address the impact of an incident. Oftentimes, when a data incident occurs, the contract between the parties is one of the driving determinants for responsibility both to consumers and third parties.
These are important considerations as there is a continued trend toward the use of biometric technology by companies in all industries, including airlines, amusement parks, spa and beauty treatment centers, and health clubs. These industries must understand the increase in regulation in this area and note the importance of implementing a compliance and security program around their use of biometric technology.