In Oregon, the legislature amended its existing Consumer Information Protection Act (OCIPA) to include biometric data, and that amendment became enforceable at the beginning of January 2020.

This means that personal information, such as images of fingerprints, iris or retina, and other automatic measurements of an individual's physical characteristics, are now covered.

In the article below, we'll go over the details of Oregon's biometric data and privacy law in more detail, its requirements, what you need to do to bring your business into compliance, and we'll go over best practices.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Oregon Added to Current Biometric Privacy Laws

When OCIPA's amendment came into effect on January 1, 2020, it joined a growing number of states that have passed some form of biometric data privacy legislation. Before 2018, only Illinois, Texas, and Washington had any biometric privacy laws.

Today, California, New York, Arkansas, Arizona, Louisiana, and Oregon have joined.

Among all of the states that have passed biometric protection and privacy legislation, Illinois' Biometric and Information Privacy Act (BIPA) remains the most comprehensive and stringent.

Many businesses have failed to live up to BIPA's regulations, which has left them open to lawsuits. For example, over 200 class action complaints were filed under BIPA across America in just one year.

What is Biometric Data?

In general, information that allows an individual to be digitally identified based on the aspects of that person's biology or physical characteristics is biometric data.

For example, facial features, fingerprints, structures of the eye (retina, iris, etc.), facial patterns, voice patterns, the way that you walk, the way you write, the way you type, all of these things are biometric identifiers.

They all reveal an incredible amount of sensitive information about a person. The reason this information is considered so valuable, so sensitive, is not due to the fact that that data is uniquely personal, but instead because those biometric identifiers are permanent.

Time doesn't change these markers.

Concerns About Biometric Data

Concerns About Biometric Data

Many people, especially civil libertarians and privacy advocates, are concerned about the risks associated with the misuse and abuse of biometric identifiers. Much of that concern revolves around immense security and privacy threats for those whose data is stolen or compromised.

For instance, individuals have been doxxed. They've had their credit card numbers stolen, their state-issued ID's, their passports, and more. Hackers have posted those things to online forums and bins on the Dark Web. Yet credit cards can be canceled and new ones issued. There are remedies for when State issued IDs are compromised.

However, due to the unique nature of biometric data, you can't replace it once it's been revealed or made public. If that information gets out in the open, the person to whom those biometric identifiers belong is in big trouble. One can hardly expect that individual to attempt experimental surgery to change fingerprints, have an eyeball transplant, have surgery to change vocal cords.

What about security based on someone's DNA? There's no current technology that can re-write the data in a person's cells or change their chromosomes. CRISPR gene editing hasn't come that far.

The threat to individuals and consumers doesn't come from small businesses that mostly don't have the resources to implement biometric security or authentication technologies. Instead, the danger comes from big corporations, financial institutions, governments, and military spheres of influence.

Most of these organizations argue that their investment in biometrics is altruistic in nature and is designed to help protect the individual and provide better experiences between businesses and consumers.

However, another fear is the immense amount of power that the individual hands over to these institutions when they willingly deliver data that goes to the core of who these people are at a biological level.

Even if organizations acted in an entirely honorable manner and lived up to their promises regarding their use of biometric data and more, there is always the chance of a data breach.

However, the fact that there have been many lawsuits filed by private citizens against companies, accusing them of not abiding by data protection regulations, shows that even with laws designed to protect the consumer, some executives at some companies aren't the least bit ethical.

Due to these types of concerns, biometric data privacy laws are being debated, passed, and enacted at an increasing rate all over the United States of America.

Oregon's Efforts at Biometric Data and Privacy Protection

Oregon's Efforts at Biometric Data and Privacy Protection

Oregon already had a data breach law. However, the state legislature decided to update that law, and an amendment was signed on May 24, 2019, by Governor Kate Brown. The newly updated set of regulations went into effect on January 1, 2020.

Vendors, which are defined as "a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity," are now covered by the data breach notification statute.

Today, vendors have to notify the state Attorney General if they suffer a data breach, which affects the private, personal information of at least 250 Oregon state residents or if the number of impacted individuals can't be ascertained.

Additionally, business customers must be notified within ten days of a vendor breach. The previous version of the law merely made mention of notifying customers "as soon as practicable." The meaning of personal information was also extended by the amendment to include usernames when put together with authentication factors.

Personally Identifiable Information

Under Oregon's new law, updated privacy regulations focus on personally identifiable information (PII). Some of the data specifically covered includes:

  • Health insurance and medical data
  • Biometric data
  • Account numbers and authentication data
  • Driver's license number
  • Passport number
  • Social Security number
  • Other information which is not legally available to the public

Expanded Definition of Personally Identifiable Information

Expanded Definition of Personally Identifiable Information

The expanded definition of PII when it comes to biometric data now includes the automatic measurement of a state resident's physical characteristics. These are listed as retina or iris data and fingerprints.

Essentially, these are those things used to verify the identity of an Oregon state resident to further a transaction, verify a resident's medical history, diagnosis or treatment information, mental or physical health, or a resident's health insurance subscriber or policy number.

Experts believe that because the bill is specific about the type of biometric and medical data is defined as PII. Companies will be able to develop suitable responses to any data breaches that may occur.

Penalties and Violations

Companies that do business in Oregon need to be cognizant that they could be held liable and be subject to civil action by the state Attorney General and local district attorneys if they violate the State's biometric data privacy law.

The new regulations make violations of the law actionable as unlawful business practices or unlawful trade. With that in mind, prosecuting attorneys will be authorized to investigate and then bring actions against companies.

However, unlike Illinois' BIPA, Oregon's updated law does not provide for private rights of action.

Facial Recognition Tech Banned

Facial Recognition Tech Banned

A significant development in Oregon when it comes to biometric data and privacy is that the city of Portland banned facial recognition technology within the private sector. In fact, Portland is the first area within the entire United States to do so.

Facial recognition tech was banned from hotels, restaurants, stores, and other public spaces within Portland on September 9, 2020. Portland's city council unanimously passed the ordinance to go into force on January 1, 2021.

According to Portland's city council, marginalized communities have been the victims of "over surveillance and [the] disparate and detrimental impact of the use of surveillance."

Additionally, the city council referenced several racial and gender discrimination instances when it came to facial recognition technology when making their ultimate decision.

Starting in 2021, the private sector will be forbidden from using face recognition technologies in "places of public accommodation" in the city of Portland.

Exceptions to this are:

  • Social media applications that use automatic face detection services
  • When individuals verify their identities to access their employer-issued or personal electronic and communication devices
  • When complying with other federal, state, or local laws

Unlike the OCIPA and its amendment, Portland's new ordinance gives city residents the right to private rights of action. Indeed, the penalty for violation of the ban is $1,000 per day for every day the prohibition is violated, or the private right of action for damages inflicted due to a company's violation of the ordinance. The ordinance also provides for other remedies, which might be appropriate.

Definition of Terms

  • Private Entity - "Any individual, sole proprietorship, partnership, corporation, limited liability company, association, or any other legal entity, however, organized." However, this doesn't include government agencies.
  • Places of Public Accommodation - "Any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise." However, this excludes "an institution, bona fide club, private residence, or place of accommodation that is in its nature distinctly private."
  • Face Recognition Technologies - "Automated or semi-automated processes using Face Recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual or capturing information about an individual based on an individual's face."
  • Face Recognition - "The automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search). A face recognition search will typically result in one or more most likely candidates--or candidate images--ranked by computer-evaluated similarity or will return a negative result."

Another separate ordinance was passed by Portland's City Council which mirrors that of both San Francisco and Boston. This other ordinance bans local police and the city government from using facial recognition technology.

Complying with Biometric Privacy Laws in Oregon

Key takeaways for companies that want to protect themselves against lawsuits over alleged misuse of biometric data and technologies include the following:

  • Think hard before deciding that your business needs to implement biometric technology
  • Don't use facial recognition technology in Portland
  • Provide advance notice to those from whom you take biometric data
  • Obtain explicit consent before taking biometric data
  • Make sure the notice you provide to customers is fully transparent and details why you collect biometric identifiers and information, how you use that data, how you store the data, and how you disclose any and all information
  • Include a notice about your biometric policies in your Privacy Policy and in your Terms and Conditions agreement
  • When appropriate, ensure that you obtain written consent from your customers
  • Give individuals the ability to "opt-out" of biometric data collection

Disclose what types of biometric data you collect in your Privacy Policy, along with the other types of data you collect. Here's an example:

PayPal Privacy Policy: Categories of Personal Information We Collect clause

You can get consent to collect and use biometric data in the same way you do it for other types of data - By requesting users do something to explicitly show they consent, like checking a box:

Generic consent checkbox - Small

Remember that biometric privacy laws are increasing all over the United States. Trends toward stronger biometric data privacy laws will be likely to continue well into 2021 and beyond. People are leary of the use of biometric data by governments, by law enforcement, and by companies within the private sector.

As a business owner, if you do business in Oregon or any other state with biometric data privacy laws, you need to pay close attention to compliance requirements in order to avoid potential business crushing penalties.