Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
The issue of biometric data and privacy is one that's likely to grow in the near future as more and more states pass new laws or update existing ones to reflect the public's concern over the dangers involved in the collection and use of that information.
In Oregon, the legislature amended its existing Consumer Information Protection Act (OCIPA), and that amendment became enforceable at the beginning of January 2020. The idea behind the amendment was to ensure that OCIPA was expanded to encompass much more than merely "identity theft protection." Now, there's a focus on the much broader notion of data rights and consumer privacy.
Of course, biometric data is now included under OCIPA's umbrella of data rights and privacy. Personal information, such as images of fingerprints, iris or retina, and other automatic measurements of an individual's physical characteristics, are now covered. Indeed any biometric information used to authenticate a person's identity during a transaction is included in the bill's protections.
In the article below, we'll go over the details of Oregon's biometric data and privacy law in more detail, its requirements, what you need to do to bring your business into compliance, and we'll go over best practices.
When OCIPA's amendment came into effect on January 1, 2020, it joined a growing number of states that have passed some form of biometric data privacy legislation. Before 2018, only Illinois, Texas, and Washington had any biometric privacy laws.
Today, California, New York, Arkansas, Arizona, Louisiana, and Oregon have joined.
Among all of the states that have passed biometric protection and privacy legislation, Illinois' Biometric and Information Privacy Act (BIPA) remains the most comprehensive and stringent.
Many businesses have failed to live up to BIPA's regulations, which has left them open to lawsuits. For example, over 200 class action complaints were filed under BIPA across America in just one year.
In general, information that allows an individual to be digitally identified based on the aspects of that person's biology or physical characteristics is biometric data.
For example, facial features, fingerprints, structures of the eye (retina, iris, etc.), facial patterns, voice patterns, the way that you walk, the way you write, the way you type, all of these things are biometric identifiers.
They all reveal an incredible amount of sensitive information about a person. The reason this information is considered so valuable, so sensitive, is not due to the fact that that data is uniquely personal, but instead because those biometric identifiers are permanent.
Time doesn't change these markers.
Many people, especially civil libertarians and privacy advocates, are concerned about the risks associated with the misuse and abuse of biometric identifiers. Much of that concern revolves around immense security and privacy threats for those whose data is stolen or compromised.
For instance, individuals have been doxxed. They've had their credit card numbers stolen, their state-issued ID's, their passports, and more. Hackers have posted those things to online forums and bins on the Dark Web. Yet credit cards can be canceled and new ones issued. There are remedies for when State issued IDs are compromised.
However, due to the unique nature of biometric data, you can't replace it once it's been revealed or made public. If that information gets out in the open, the person to whom those biometric identifiers belong is in big trouble. One can hardly expect that individual to attempt experimental surgery to change fingerprints, have an eyeball transplant, have surgery to change vocal cords.
What about security based on someone's DNA? There's no current technology that can re-write the data in a person's cells or change their chromosomes. CRISPR gene editing hasn't come that far.
The threat to individuals and consumers doesn't come from small businesses that mostly don't have the resources to implement biometric security or authentication technologies. Instead, the danger comes from big corporations, financial institutions, governments, and military spheres of influence.
Most of these organizations argue that their investment in biometrics is altruistic in nature and is designed to help protect the individual and provide better experiences between businesses and consumers.
However, another fear is the immense amount of power that the individual hands over to these institutions when they willingly deliver data that goes to the core of who these people are at a biological level.
Even if organizations acted in an entirely honorable manner and lived up to their promises regarding their use of biometric data and more, there is always the chance of a data breach.
However, the fact that there have been many lawsuits filed by private citizens against companies, accusing them of not abiding by data protection regulations, shows that even with laws designed to protect the consumer, some executives at some companies aren't the least bit ethical.
Due to these types of concerns, biometric data privacy laws are being debated, passed, and enacted at an increasing rate all over the United States of America.
Oregon already had a data breach law. However, the state legislature decided to update that law, and an amendment was signed on May 24, 2019, by Governor Kate Brown. The newly updated set of regulations went into effect on January 1, 2020.
Vendors, which are defined as "a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity," are now covered by the data breach notification statute.
Today, vendors have to notify the state Attorney General if they suffer a data breach, which affects the private, personal information of at least 250 Oregon state residents or if the number of impacted individuals can't be ascertained.
Additionally, business customers must be notified within ten days of a vendor breach. The previous version of the law merely made mention of notifying customers "as soon as practicable." The meaning of personal information was also extended by the amendment to include usernames when put together with authentication factors.
Under Oregon's new law, updated privacy regulations focus on personally identifiable information (PII). Some of the data specifically covered includes:
The expanded definition of PII when it comes to biometric data now includes the automatic measurement of a state resident's physical characteristics. These are listed as retina or iris data and fingerprints.
Essentially, these are those things used to verify the identity of an Oregon state resident to further a transaction, verify a resident's medical history, diagnosis or treatment information, mental or physical health, or a resident's health insurance subscriber or policy number.
Experts believe that because the bill is specific about the type of biometric and medical data is defined as PII. Companies will be able to develop suitable responses to any data breaches that may occur.
Companies that do business in Oregon need to be cognizant that they could be held liable and be subject to civil action by the state Attorney General and local district attorneys if they violate the State's biometric data privacy law.
The new regulations make violations of the law actionable as unlawful business practices or unlawful trade. With that in mind, prosecuting attorneys will be authorized to investigate and then bring actions against companies.
However, unlike Illinois' BIPA, Oregon's updated law does not provide for private rights of action.
A significant development in Oregon when it comes to biometric data and privacy is that the city of Portland banned facial recognition technology within the private sector. In fact, Portland is the first area within the entire United States to do so.
Facial recognition tech was banned from hotels, restaurants, stores, and other public spaces within Portland on September 9, 2020. Portland's city council unanimously passed the ordinance to go into force on January 1, 2021.
According to Portland's city council, marginalized communities have been the victims of "over surveillance and [the] disparate and detrimental impact of the use of surveillance."
Additionally, the city council referenced several racial and gender discrimination instances when it came to facial recognition technology when making their ultimate decision.
Starting in 2021, the private sector will be forbidden from using face recognition technologies in "places of public accommodation" in the city of Portland.
Exceptions to this are:
Unlike the OCIPA and its amendment, Portland's new ordinance gives city residents the right to private rights of action. Indeed, the penalty for violation of the ban is $1,000 per day for every day the prohibition is violated, or the private right of action for damages inflicted due to a company's violation of the ordinance. The ordinance also provides for other remedies, which might be appropriate.
Another separate ordinance was passed by Portland's City Council which mirrors that of both San Francisco and Boston. This other ordinance bans local police and the city government from using facial recognition technology.
Oregon's biometric laws are not comprehensive or completely clear. However, with cities such as Portland passing ordinances that completely ban some forms of biometric data technology use, Oregon joins California and Massachusetts in making things a bit more complicated for businesses. These companies will now have to pay attention to the laws of individual cities as well as the state's regulations.
Key takeaways for companies that want to protect themselves against lawsuits over alleged misuse of biometric data and technologies include the following:
Remember that biometric privacy laws are increasing all over the United States. Trends toward stronger biometric data privacy laws will be likely to continue well into 2021 and beyond. People are leary of the use of biometric data by governments, by law enforcement, and by companies within the private sector.
As a business owner, if you do business in Oregon or any other state with biometric data privacy laws, you need to pay close attention to compliance requirements in order to avoid potential business crushing penalties.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022