circumstances, such as when necessary to complete a transaction or provide a service or product requested by the individual, when required by law or for use in judicial proceedings, or when sold to or shared with a third party who promises to use it in a way consistent with original notice and not to share it further.
PUTTING IT INTO PRACTICE: Does your company share biometric data? Have you considered the restrictions that may be in place in Illinois, Texas, or Washington?
Biometric Breakdown Part II – Collection
Posted on April 25, 2018
Continuing our series, we look today at what a company should think about when collecting biometric data. Three U.S. states—Illinois, Texas, and Washington—have laws on-point. The Illinois statute is the most specific requiring written notice disclosing the purpose of collection and the length of time biometric information will be stored. It also requires companies to obtain each individual’s written consent. Texas requires companies to inform individuals of collection and obtain consent, but neither must be written. In Washington, companies may either give notice, obtain consent, or “prevent the subsequent use of a biometric identifier for a commercial purpose.” Companies in compliance with the Illinois law would also satisfy the other states’ less specific requirements.
The Illinois statute provides a private right of action, and dozens of class action complaints against companies have recently been filed alleging inadequate notice and/or a failure to obtain written consent before collection. As we have written previously, many of these relate to employers’ collection of fingerprints for time tracking systems.
PUTTING IT INTO PRACTICE: Companies that collect biometric information should look at their collection practices and assess if notice and consent is needed and sufficient.
Biometric Breakdown – Part I
Posted on April 24, 2018
Technologies which use permanent physical characteristics for identification are increasingly popular. These “biometric” identifiers offer clear advantages over traditional passwords and keys: they can’t be lost or forgotten, and they are much more difficult to steal. No longer only the stuff of spy thrillers and science fiction, fingerprint and facial geometry scans are now commonly used to ensure that only authorized employees can access restricted facilities and computers. Fingerprints are also widely used to secure smartphones and to access banking applications. The technology has potential application well beyond security as well. Along with these commercial benefits, however, come significant risks. Unlike traditional identifiers, if biometrics are compromised they are not easily changed. That risk of compromise will likely increase as technology develops. For this reason we are seeing an increase in both biometric laws, and biometric lawsuits. In this series of posts we will look at the laws that impact a company’s collection of biometrics, and the risks when things go wrong.
PUTTING IT INTO PRACTICE: Companies who collect or possess biometric information should follow this series and think carefully about how they collect, use and protect biometric data.
                       Eye on Privacy 2018 Year in Review 8