biometric privacy lawsIf you’ve been keeping track of tech advancements in recent years, you’ve likely noticed the appearance and growing use of biometric technology, which measures your unique physical, physiological and behavioral characteristics. From the iPhone X’s Face ID to Mastercard’s experimentation with built-in fingerprint scanners on credit cards, this kind of tech is being used in a number of ways to identify and authenticate you, the user. However, while biometric technology may be handy when it comes to accessing your phone without entering your passcode (e.g., using your face or finger instead), you might be wondering if your biometric data is secure when you use this tech. After all, unlike traditional passwords, it can be nearly impossible to change your biometrics, such as your fingerprint or retinal scan, if you want to protect yourself from identity theft in the case that your biometric data is compromised. As such, we wondered what laws, if any, exist to protect your biometrics and privacy. We did some digging, and here’s what we discovered (and why it matters).

Are there biometric privacy laws that protect you?

It turns out that, relatively speaking, there aren’t many biometric privacy laws, and some argue that there aren’t enough laws and regulations protecting your biometric data and information. As discussed in a 2016 Bloomberg video report, there are some states that do give their residents certain protections – some which have come into the spotlight in the past year.

In early 2018, Google’s Arts & Culture app became home to a feature that could match people’s selfies to portraits from museums through machine learning, and the app quickly became the center of much hoopla. Many Illinois and Texas residents, however, missed out because of their states’ laws pertaining to biometric data collection, which cover restrictions regarding face geometry, albeit for unclear purposes. Google declined to comment to most publications when asked, but digging into these different biometric privacy laws can reveal a lot about the state of things in this area today.

Only three states have significant biometric privacy laws so far

There are several biometric privacy laws, but since none of them are federal (and, thus, applicable to all U.S. citizens), they sport a few key differences. Illinois implemented the first state law (and, arguably, one of the most stringent and comprehensive) pertaining to biometrics and privacy, called the Biometric Information Privacy Act (BIPA), in 2008. BIPA defines a biometric identifier as a “retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.”

This law enforces strict compliance requirements, and under this act, private entities aren’t allowed to “collect, capture, purchase, receive through trade or otherwise obtain a person’s or a customer’s biometric identifier or biometric information” unless they follow certain procedures. These include the need to let a subject know in writing that their biometric identifier is being collected or stored, as well as the purpose and length of collection and storage. Under BIPA, private entities must also first obtain consent for disclosure from the subject of a biometric identifier or a “legally authorized representative,” develop a publicly available, written policy about a retention schedule and the destruction of biometric identifiers – among other requirements. According to an article in the Fordham Journal of Corporate & Financial Law, BIPA is the “touchstone for biometric data regulation” – largely because of the “significant penalties it imposes.”

The Texas Biometric Privacy Act of 2009 is another commonly cited biometrics law, though it’s less strict than BIPA, and it doesn’t require written consent. Following in the footsteps of Illinois and Texas, last year Washington became the third state to pass a law pertaining to business activities and biometric data. Signed into law on May 16, 2017, Washington’s H.B. 1493 law defines “biometric identifier” differently from the other two laws, as it doesn’t include “physical or digital photograph, video or audio recording or data generated therefrom” in its definition of biometric identifiers. It also doesn’t mention scans or records of hand or face geometry, which is something that the laws in Illinois and Texas do. As a result, people in Washington could access Google’s art selfie feature and take part in the fun.

More laws are likely to come in the near future

While those three states are the only ones with fully functional, sweeping biometrics privacy laws on the books, attempts have been made by other states to pass their own laws – including Alaska, California, Idaho, Massachusetts, Montana and New York – and others are working on them. Possibly in the next couple of decades, we might even see a federal law passed, as biometrics continue to be used for all kinds of purposes that require broad consumer protection.

There are also some laws in existence pertaining to more specific areas, such as regulations in states like Oregon and New Hampshire pertaining to facial recognition on police body cameras and six states that restrict law enforcement from using driver’s license databases for facial recognition systems. Given that laws regulating the use and protection of biometrics in the U.S. are so varied and localized, it’s important to make sure you find out what, if any, protections your state offers when it comes to your biometrics.

Why should you care?

There are several reasons why you should care about biometric privacy laws. Here are some of them:

Your biometric data is valuable

First off, these types of laws could potentially assist you with providing more security for your biometrics – a positive if you care about keeping your most personal data private. History has shown us that some companies, including tech giants like Facebook, share data with third parties. Furthermore, organizations aren’t immune to data breaches, leaks and hacks, some of which can involve biometric data – as illustrated by the Office of Personnel Management hack that exposed millions of people’s stored fingerprints. When you consider biometric privacy laws, think about what they provide or don’t provide for you, and what you want from them.

The reason? It’s understandable to not want your biometrics to be shared with just anyone – especially if you’re using your biometrics to authenticate the use of your phone or credit card, for example. After all, you don’t want to give just anyone access to these, and crimes like payment card fraud and identity theft are easier to carry out if your biometric data is on the table for anyone to grab. And, as we mentioned earlier, biometrics can be difficult (or downright impossible) to change if your data is compromised. Once your biometric data is out in the open, there isn’t going to be much you can do to prevent unwanted access to this information – especially if there aren’t laws in place protecting that data and its misuse.

The ownership of your biometrics isn’t as clear as you might think

Scary as it may seem, the ownership of your biometric data isn’t clear. If you live in the U.S. and aren’t a resident of Illinois, Texas, Washington or other states that have passed biometric privacy laws, you could be out of luck if your biometrics are used in a way that you don’t approve of or become compromised. That’s why it’s so important to find out what laws exist to protect you, and why consumers should fight for stronger and more wide-sweeping protections of their biometric data.

Tech companies are fighting back against BIPA

Some tech companies have been fighting back against BIPA and other existing biometric privacy laws, seeking to overturn or try to make amendments to them. This is largely because these regulations can prevent some of the tech developments companies have rolled out or plan to in the future. Facebook, for example, has been targeted with a lawsuit centering around BIPA, as some plaintiffs argue that Facebook’s photo tagging system violates the act, since it identifies faces without consent. Other tech giants, including Shutterfly and Snapchat, have also run into similar lawsuits. As a result, some of these companies have brought legal action of their own against BIPA and laws like it (though it’s worth mentioning that some, like Microsoft, are calling for regulation of biometrics use). In order for the existing regulations to keep their teeth and new regulations to be passed, consumers need to be actively involved and aware of why their biometrics need protecting.

What can you do?

While biometric privacy laws can add some amount of protection, given that they aren’t ubiquitous yet, there are steps you can take on your own to better secure the privacy of your biometrics. One of the most important actions you can take is to read a company’s privacy policies and terms of service with a critical eye before using a product, service or website. These documents are often laden with helpful information when it comes to figuring out how companies store, share and use your data – including biometrics. Having knowledge about these areas can enable you to make more informed decisions when you’re deciding what products or services to use and how you’ll use them. If you’re deeply concerned about the privacy of your biometrics, the best thing to do is to avoid providing them, if you can. Opt instead to secure your accounts with more traditional passwords or PINs, or use items or services that don’t require you to provide your biometrics whatsoever.

Now that you know more about biometrics privacy laws and how you can better protect the privacy of your biometrics, follow our privacy blog to read more privacy-related stories and get great tips to keep yourself and your data secure.