Biometric data refers to any piece of information about an individual's physical characteristics or health: an eye-scan, fingerprints and voice recognition all come under the umbrella. You only have to open the Apple Health app to see a slew of other metrics that can be tracked, from menstrual cycles to hearing levels.
This was already an ongoing trend as wearable technology grew in popularity, but Covid has accelerated the amount of biometric data being gathered. More than 60% of professionals surveyed in July 2021 said that adoption of biometric solutions – and, hence, the gathering of biometric data – has skyrocketed during the pandemic. Specific types of biometric data are also used for market research purposes: this includes eye-tracking on a webpage or sensors that track reactions to particular stimuli.
This data is undoubtedly rich, but it also needs to be handled with a lot of sensitivity. Specific data about an individual's health status is already considered sensitive under the EU's General Data Protection Regulation. That's because, with enough information pieced together, biometric data can identify a unique individual, which puts them at risk of being targeted by marketers. A study by the technology research company Comparitech found that out of 96 countries assessed, governments in China, the US and the UAE are some of the most extensive and invasive biometric data collectors.
An eye on regulation
Seeing the risk that this sort of data gathering poses to consumers and tech users, regulators are starting to catch up. In December 2021, the Turkish Data Protection Board published guidance on the processing of biometric data, stating that data should be destroyed as soon as it's no longer needed and that genetic data should be kept separate from biometric data wherever possible. In New York City, businesses gathering any form of biometric data are required to tell people they're doing so and are banned from profiting off that data, as of July 2021. In Illinois, under the Biometric Information Privacy Act, locals filed a class-action lawsuit against Facebook – the company settled for $650 million in February 2021 and announced that it would be stepping away from facial recognition technology in November the same year.
We caught up with Nicola Menaldo and Susan Fahringer, partners at Perkins Coie, a law firm with headquarters in Seattle. They share their thoughts on what businesses should know about biometric privacy law.
How has the legal landscape changed around biometric privacy?
A. ‘More accurate and less expensive biometric technologies have accelerated adoption of the technology over the past decade. The pandemic fueled even broader adoption, as businesses recognized new uses for it, such as to support touchless ID systems. As use of the technology has grown, so has government scrutiny. The current regulatory regime is a patchwork of local, state and federal laws, as well as industry guidelines. In the US, there's extraordinary risk in certain jurisdictions, especially in the state of Illinois, which has enacted the Biometric Information Privacy Act.’
What are the biggest mistakes companies make collecting and storing biometric data?
A. ‘Not knowing the law, and not knowing how to comply with it, creates unnecessary and very substantial risk, especially in states like Illinois. We also often see companies over-collect or over-retain data that they don't need, simply because it's available: from the more obvious identifying information, like name, address and email, to the not as obvious data, like biometric data – facial recognition data and fingerprints – whether or not linked to identifying information. This is generally bad privacy hygiene and it can lead to increased risk and exposure.’
What advice would you give to ensure businesses stay on the right side of regulation?
A. ‘The first step to addressing compliance in any area of privacy, not just biometrics, is mapping data flows and understanding exactly what data is being collected, how it's being stored, for which purposes it's being used and who it's being shared with. With this factual background, a company can then consider which jurisdictions it's operating in and whether the data it's collecting counts as biometric data in those jurisdictions.’