|
April 29, 2019 - As of today, there is only one state in the United States that offers consumers any legitimate form of biometric privacy. That's Illinois. That state's legislators were way ahead of the curve. They passed a law known as the Biometric Information Privacy Act, or BIPA. And they did it before biometric data became an everyday reference; way back in 2008. Since then, only two other states have passed laws dealing specifically with biometric privacy; Texas and Washington. And the laws in both of those states are considerably weaker than BIPA.
We've focused a lot of attention lately on biometrics. That’s because it is pretty clear that stored biometric data is becoming an identity thieves' dream. It may not be tremendously useful to most people today but give it a couple of years. It is the current gold standard for identification and it wouldn't surprise us at all to see it's use take the place of today's social security numbers and credit card numbers.
Stored biometric data is the most powerful personally identifiable information (PII) there is. Yet, in most states it isn't categorized as PII unless it is associated with a name, address, birthdate or email. That's a problem because a single piece of biometric data can be used to get everything else needed for identity theft.
For instance, if a database containing your only your birthdate gets leaked, that isn't going to help anyone steal your identity if you don't have any other personal information leaked. But what if a facial recognition database with algorithms on your face is leaked. Even if that database doesn't contain additional information on you, it can be used to identify you. An enterprising person could use that data to search through pictures on the internet and come up with your name. Then they can target you. If you use facial recognition to open your phone, if they can get their hands on your phone they now have the ability to open it up.
The same thing holds true with DNA. If they can get a sample, they may be able to find you through a familial match. If that sounds far-fetched then just consider the fact that the police are now using this very technique to solve cold cases. It's the procedure that was recently used to catch the Golden State Killer.
This is where BIPA comes in. This law does two things that every other state needs to look at. It forces companies to get permission from consumers prior to storing their biometric data. And it gives consumers a private right of action when companies violate the law. In short, if your biometric data is added to a database without your permission, and you live in Illinois, you can sue the company that stored the data. The laws previously mentioned in Texas and Washington are both missing these elements.
BIPA has now been tested repeatedly in the Illinois courts, and it has held up. Illinois state courts have repeatedly ruled in favor of individuals filing suit under the law. Recently, a court found that employers couldn't force employees into arbitration over BIPA violations even when an arbitration clause was required from all employees. In that case, the employer hadn't obtained a written release from employees allowing the collection of biometric data - in this case fingerprints - hadn't told them that the data would be shared with out-of-state third-party vendors and didn't have a written policy for data retention and destruction of biometric data.
Of course, there are now forces trying to put in place federal laws that would usurp BIPA with a much weaker standard. We think that's a bad idea. It is actually time for more states to look closely at BIPA and to mimic it.
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
|
Politics & Politicians 
