Commercial Biometrics, Privacy and the Law

  • Advances in commercial biometric data collection present privacy and security concerns that are being raised by both the public and policymakers.
  • As of today, only Illinois and Texas have laws protecting citizens from the widespread collection of biometric data.
  • Recent high-profile cases have illuminated not only how the law applies to current privacy and security issues, but to future ones as well.

The Rise of Commercial Biometrics

Privacy has become a constantly diminishing asset in an age of “always-on” connected devices. As internet connected devices have become ubiquitous, the public has reached a degree of comfort with the passive and anonymized collection of personal data. That data, however, is now becoming a lot more personal.

The rise of consumer friendly biometric systems (think: iPhone fingerprint scanners, Facebook facial recognition, etc.) has created a valuable new data set for companies to mine. Facebook users upload upwards of 350 million photographs per day and the company uses advanced facial recognition software to collect and store that user data. Facial messaging apps like Snapchat have access to even more granular facial feature and biometric data points. Predictably, the especially sensitive nature of biometric data has raised important privacy questions – some of which are now being played out in court rooms and state houses.

Current Biometric Privacy Statutes

While there is currently no comprehensive Federal legislation related to the governance of commercial biometric data collection, state governments have pushed ahead with efforts to regulate the practice. Two states, Texas and Illinois, have statutes that focus on the collection and use of biometric data.

In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), which required individuals to give written permission prior to collection of biometric data like fingerprints or retinal scans.  Texas law is virtually the same, except that it doesn’t specify how the user may give permission and does not contain a private right of action whereby consumers would be able to sue violating companies. Recently proposed legislation in Connecticut, New Hampshire, Washington, and Alaska all contain similar provisions to the Illinois BIPA for the purpose of governing businesses that collect and use biometric data.


Consumer Pushback

The rise of biometric data collection has been met with consumer pushback in the form of class action lawsuits. For example, major video game maker Take Two Interactive was found in violation of the Illinois BIPA for allowing users to “create a player” by scanning in their own facial features, handing that data over to Take Two, without getting the user’s written consent  required by the statue.

The consumer biometric privacy pushback extends to the tech giants. Google is currently fighting a class-action suit alleging the company violated BIPA by using facial recognition to create face templates from photographs. Facebook is facing similar legal action with regards of the use of the facial recognition technology used for the “Tag a Friend” feature. Central to these, and potentially many other biometric privacy cases in the future, is whether certain data falls within statutory definitions of biometric data. BIPA, provides two statutory definitions:


  • Biometric Identifier – “Any personal feature that is unique to an individual, including fingerprints, iris scans, DNA and ‘face geometry,’ among others.”
  • Biometric Information – “Any information captured, converted, stored, or shared based on a person’s biometric identifier used to identify an individual.”


Both cases remain unresolved to date, with Google appealing the validity of the suit, and Facebook is also trying to get their case dismissed before discovery begins this year. But what’s clear is that concerns about privacy, and security, of biometric data aren’t going away anytime soon.

A New Series of Challenges

The takeaway here is that the sensitivity of biometric data is presenting a whole new series of challenges to individuals, corporations, legislatures, and the courts. It’s an issue that we can expect to quickly evolve over the next decade with significant implications for all. We’ll keep you posted.

Author: Josh Rittenberg

Josh Rittenberg is the Founder and Editor of Breach Memo. He is an attorney in New York City who first became interested in emerging threats while working as an analyst at the Center for Strategic and International Studies (CSIS) Transnational Threats Program in Washington, DC. He has been published by NPR, The American Lawyer, Corporate Counsel, and the CSIS Transnational Threats Update. The views expressed in this blog are his personally and not those of any other person, organization, or other entity.

No Comments Yet.

Leave a Reply

Your email address will not be published. Required fields are marked *