Compliantly Implementing Biometric Systems

From unlocking your phone to clearing airport security, biometric systems have become integral to everyday life. Implementing biometrics in your business could improve the customer experience and enhance security. However, using biometric data brings significant legal responsibilities, requiring your business to strictly adhere to data privacy laws.

In this post, we will explore how to implement biometric systems while complying with data protection laws. We'll delve into relevant laws, consent, data minimization, and how to create a Privacy Policy that provides the protections you need.

What Are Biometric Systems?

Biometric systems automatically identify individuals based on identifiable characteristics. Biometrics means body measurements. Biometric systems use measurements and calculations about human characteristics to identify individuals.

As the Department of Homeland Security highlights below, these systems identify distinguishing, repeatable features. Governments use biometric systems to limit illegal entry into their countries:

Businesses can use biometrics for:

• Physical access to buildings
• Digital access to confidential information
• Passwordless authentication
• Fraud prevention
• Personalized marketing

The benefits of biometric systems for businesses include simpler verification processes, reduced fraud, and the personalization of the customer experience. However, as with any function that involves collecting, storing, and processing personal identifiable data, it is essential to consider the data protection and privacy law implications before you start using biometric systems.

How biometric systems work

Identifiable biometric characteristics fall into two categories: biological and behavioral.

As the Biometrics Institute explains below, biological (also called physiological) characteristics include:

• Fingerprints
• Veins in the hands
• Iris pattern
• Facial features

Biological characteristics are useful as they are relatively unlikely to change over time. Fingerprints may become eroded in certain professions, such as bricklaying, and people may lose fingers through accidents or illness. However, for most people, these markers are stable and are an effective form of identification.

Behavioral characteristics involve analyzing individuals' movements, gestures, and motor skills as they perform particular tasks. As the Biometric Institute explains below, how we walk and type can be recorded and then used to identify us.

Other examples of behavioral characteristics include:

• Signature recognition
• Voice pattern analysis
• Lip motion
• Mouse movements and clicks
• Device interaction

Your business could risk getting left behind if it doesn't implement biometric systems that improve the customer experience. However, before it starts collecting biometric data, you need to consider legislation that applies in your locality.

Data Privacy Laws and Biometric Systems

Biometric systems may have their roots in the Second World War, but currently, no comprehensive federal data privacy law governs them in the United States. An attempt to introduce the National Biometric Information Privacy Act of 2020 (S. 4400) did not receive a vote in Congress.

Some states, notably Illinois, have taken action by enacting or preparing to enact laws to govern how biometric data is collected and used.

If your business targets customers outside the United States, it may need to comply with laws such as the GDPR and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Biometrics and US data privacy laws

Currently, only three states have enacted privacy laws that specifically govern biometric data - Illinois, Texas, and Washington. While not specifically a biometric data law, the California Consumer Privacy Act (CCPA) also regulates its use.

California

Businesses covered by the CCPA, amended by the California Privacy Rights Act (CPRA) in 2023, must clearly inform their customers about how they collect, store, and use their biometric data. This information must be included in their Privacy Policies, and customers must see a visible notice with a link to the policy when asking for consent.

The CCPA's definition of biometric information, shown below, is more wide-ranging than many other laws. It also considers biometric data collected without a consumer's knowledge, such as from surveillance camera footage, to be personal information:

Illinois

The Biometric Information Privacy Act (BIPA), enacted in 2008 by the state of Illinois, regulates private businesses operating in Illinois. As shown below in Section 5 of the BIPA, it governs "the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information."

However, the BIPA does not govern all types of biometric data. Section 10, shown below, narrows its definition of biometric identifiers to include only "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry."

Under the BIPA, business conducting business in Illinois must comply with the following requirements:

• Obtain consent before collecting or disclosing biometric identifiers
• Destroy records of biometric identifiers in a timely fashion
• Store biometric identifiers securely

Crucially, as shown in Section 15 below, the BIPA requires that businesses use what is considered in their industry a "reasonable standard of care" when storing, transmitting, and protecting biometric data. Additionally, a business must apply the same or higher security protocols for biometric data as it uses for other types of confidential and sensitive information.

Individuals aggrieved by violations of the BIPA have a right of action. They can pursue a claim in a State circuit court and may recover damages. In the 2019 case of Rosenbach v. Six Flags Entm't Corp, the Illinois Supreme Court ruled that a violation of BIPA was sufficient for an individual to claim damages. As the excerpt below shows, the plaintiff is not required to prove they were harmed by the violation, only that the violation took place:

If your business targets customers in Illinois, this highlights the importance of ensuring your systems are compliant from day one. Otherwise, you could face a raft of complaints from aggrieved Illinois customers.

Texas

The Texas Business and Commerce Code, Chapter 503, Biometric Identifiers, is similar to the Illinois BIPA, but is less stringent. As shown below, the right of action is limited to the attorney general, who can take steps to recover a civil penalty of a maximum of $25,000 for each violation:

Washington

The Revised Code of Washington (RCW), Title 19 > Chapter 19.375 > Section 19.375.020 governs the "enrollment, disclosure, and retention of biometric identifiers." Passed in 2017, it affects all businesses operating in Washington state and requires them to obtain consent before collecting or processing biometric data.

As with the Texas state law, it does not include a private right of action. Only the Washington State attorney general is authorized to enforce the law.

Canadian biometric data privacy legislation

Biometric data privacy is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. Draft guidance on processing biometrics published by the Office of the Privacy Commissioner of Canada identifies key areas businesses must consider, including consent, limiting collection, and safeguards.

As the excerpt from the draft guidance below demonstrates, biometric data is particularly sensitive as biometric identifiers are unique, unlikely to vary, and difficult to change:

The Office of the Privacy Commissioner of Canada also emphasizes, as seen in the excerpt from the draft guidance below, that while guidelines can help, businesses are responsible for ensuring they comply with all applicable laws while handling the biometric data of Canadian consumers. For example, the province of Quebec has additional reporting requirements Canadian businesses must comply with.

The GDPR and biometrics

The GDPR and UK GDPR are two of the most prominent and stringent laws governing biometric data. If your business targets customers in the EEA or UK, you must ensure it complies with the GDPR, no matter where in the world it is based.

Under the GDPR, biometric data is classed as a "special category" of personal data. This means there are more strict requirements for:

• Consent
• Processing
• Data protection measures

Individual member states have the authority to impose additional requirements around biometric data. If your business plans to collect biometric data from customers in France, Italy, or Spain, you must research and comply with their additional requirements.

How to Implement Biometric Systems in Compliance with Data Protection Laws

Exact requirements vary depending on where your business operates and where your target customers are located. However, the following are key considerations for any business looking to compliantly implement biometric systems to improve their security and customer experience.

Establish the necessity of biometric data collection

Before collecting biometric data, you must be sure there is a clear business case for implementing these systems over methods that use less intrusive personal data. If you're targeting European customers, note the definition of "specified purposes" below from the EU's Article 29 Working Party (now replaced by the European Data Protection Board (EDPB)):

When deciding whether your business needs to collect data, answer the following questions:

• Is this data being collected for a legitimate, important, and real purpose? Businesses should not collect biometric data without a clear purpose. For example, why was it necessary for your business to collect fingerprint data rather than using a PIN? Document why you decided it was essential for your business to collect this data and why alternative strategies were less effective.
• Do the benefits of collecting this biometric data outweigh the disadvantages? You should demonstrate that the need for a biometric system was proportional to the purpose. If your business is looking to implement biometrics simply because of convenience or “just in case,” it may be worth exploring alternatives that make less intrusive use of personal data.

Conducting a comprehensive Privacy Impact Assessment is essential when deciding whether to implement biometric systems. This will allow you to analyze the following before committing to implementing a new system:

• Privacy risks
• Relevant legislation
• How and by whom data will be stored and processed

Your PIA will also help you address the closely related consideration of data minimization.

Data minimization for biometric systems

Data minimization means only collecting the data that is essential to carry out a particular process. Collecting minimal data can minimize privacy risks and enhance security.

As the UK Data Commissioner highlights below, the guiding principles for data minimization are adequacy, relevance, and necessity. The less biometric information you collect and use, the less you must protect:

Data minimization is an ongoing process. Even after deciding what data is adequate, relevant, and necessary for your business purposes, it is important to schedule periodic reviews. This will help ensure you do not hold more data than you need to.

The importance of consent

Consent is the cornerstone of all data privacy laws. While each law may define consent slightly differently, it must usually be:

• Freely given
• Specific and informed
• Unambiguous
• Able to be withdrawn at any time

The person giving consent to their biometric data being collected, stored, and processed must clearly understand why it is being collected and how it will be used. The individual must also understand how they can withdraw consent.

As the Illinois BIPA, Section 15(b) sets out below, consent must be obtained before collecting biometric data. It requires the "data subject" (the person whose biometric data is being collected) to be informed of the following in writing:

• Their biometric data is being collected
• Why it is being collected
• How long it will be stored

The individual must then provide written consent to their data being collected and processed:

While all privacy laws require consent, businesses have different rights depending on the specifics of the law.

For example, as shown below, under the Illinois BIPA, Section 15(c), even if you have the individual's consent, you cannot sell, lease, trade, or profit from biometric information under any circumstances. However, Washington and Texas' laws allow this if consent is obtained:

This highlights the importance of seeking legal counsel and conducting thorough research before collecting and processing any biometric data.

Compliant Privacy Policies for biometric systems

Implementing biometric systems will require you to update your Privacy Policy. You can either create a separate Biometric Information Privacy Policy or include it as part of your current Privacy Policy.

As shown in the example below, Sound Seal, a manufacturer of acoustic noise control products, operates in Massachusetts but targets customers in Illinois. Therefore, its Biometric Information Privacy Policy specifically mentions the Illinois BIPA:

As seen here in the Illinois BIPA, your Privacy Policy must be available to the public and meet specific criteria, which will vary depending on laws that apply to your business:

Key elements of a Biometric Information Privacy Policy include the following:

• Definitions: Establish what the terms “biometric identifiers” and “biometric information” mean in terms of your Privacy Policy. 
• Purpose: Set out why you are collecting biometric data.
• Disclosure and consent: Explain how you will inform individuals that you are collecting their biometric data and how they can provide or withdraw consent.
• Retention: Set out how long your business will retain biometric data.
• Storage: Detail how biometric data will be stored to meet the reasonable standard of care requirement set out in most data privacy laws.
• Right to change: Your business should retain the right to change its Privacy Policy at any time, but ensure it communicates changes clearly to all affected parties.

Depending on the laws that apply to your business, there may be other considerations to include in your Privacy Policy.

Data security considerations

As we have seen, biometric data is a particularly sensitive form of personal information. Therefore, you must implement enhanced protections at every stage of the data's lifecycle.

Ask yourself:

• Is my business using the latest data security protocols to protect biometric data?
• If I work with a third-party vendor, have they been properly vetted to ensure they comply with relevant laws?
• Does the business's cyber-risk insurance include biometric data claims?

Best practices include protecting biometric data with advanced encryption algorithms, such as AES-256. Secure key management and two-factor authentication can also help prevent data from being accessed by bad actors.

Regular system updates and security audits are essential to ensure data security protocols are up to date and still fit for purpose.

Summary

Biometric systems can enhance the customer experience, reduce fraud, and improve security. However, businesses must navigate a raft of data privacy laws to implement them successfully. Biometric data, including behavioral and biological traits, is highly sensitive and must be collected, stored, and processed using the highest data security standards.

While no federal US law governs biometric data privacy, Illinois, Texas, and Washington have enacted regulations, and international laws such as the GDPR impose strict requirements. If your business is looking to implement biometric systems, key considerations include obtaining informed consent, practicing data minimization, and creating a robust Privacy Policy. These steps can protect your business from legal risks, particularly in locations with strict enforcement like the EU and Illinois.