Understanding the Latest Biometrics Laws in the US: What Businesses Need to Know
Biometrics, the technology used to identify individuals based on physical and behavioral characteristics such as fingerprints and facial recognition, is gaining momentum in the US. While this technology is being harnessed for a range of purposes, including enhancing security and improving user experience, businesses collecting and processing biometric data must comply with a patchwork of laws across the country. This article explores the latest biometrics laws in the US and what businesses need to know to comply.
What is Biometric Data?
Biometric data is information that is collected, stored, and processed based on an individual’s unique physical and behavioral characteristics. This data can include fingerprints, facial recognition patterns, retinal scans, voiceprints, and even the way a person walks (gait recognition). Biometric data has become increasingly valuable for security, authentication, and personalization purposes, and over the years, many businesses have started collecting this data.
The Latest Biometrics Laws in the US
As biometric data becomes more prevalent in business, lawmakers are taking steps to protect individuals’ privacy rights. Currently, several states, including Illinois, Texas, and Washington, have passed biometrics privacy laws expecting companies to adhere to stringent requirements when collecting and using biometrics data. The most prominent biometrics law in the US is Illinois’s Biometric Information Privacy Act (BIPA), which has strict requirements for the collection, storage, and use of biometric data.
Under BIPA, companies must provide individuals with prior notice of the collection and use of their biometric data, obtain written consent, disclose how long the data will be stored, and the purpose of the collection, among other provisions. Moreover, BIPA allows individuals to sue companies for non-compliance and provides for damages of $1,000 to $5,000 per violation.
In Texas, the Biometric Identifier Privacy Act (BIPA) requires companies to provide a clear notice to individuals before collecting, capturing, or storing their biometric data. The law prohibits the sale of biometric data without specific consent and provides a right to sue for non-compliance. Additionally, New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD), which includes a section on biometric privacy, and the California Consumer Privacy Act (CCPA) regulates the biometric data of Californians.
Complying with Biometrics Laws in the US
Businesses collecting and processing biometric data should develop and implement a compliance program to adhere to biometrics laws. First and foremost, companies should ensure they get prior written consent from individuals before collecting and using biometric data. They should also provide robust notice of the collection and use of the biometric data, stating the purpose, the entities to whom the data will be shared, and the retention schedule.
Moreover, companies should institute security policies and procedures, such as data encryption, to secure biometric data that is collected. Sensitive information should not be stored in open networks or unprotected systems. It is also essential for businesses to monitor compliance with biometrics laws and maintain accurate records of data collection and use.
Conclusion
Biometric data has become increasingly valuable for businesses as they seek to provide better customer experiences, improve security, and authentication. However, the use of this data raises new legal challenges and privacy concerns, especially with the patchwork of biometrics laws in the US. To comply with these laws, businesses should develop a compliance plan that provides robust notice and consent procedures, security protocols, and accurate record-keeping. Failure to do so may result in litigation, hefty fines, and significant reputational damage.
