Understanding Biometric Data and Legal Compliance

Background

Biometrics refers to measurable physical or behavioral characteristics that can be used to identify and authenticate individuals. This includes unique traits like facial features, voice patterns, and fingerprints, which are increasingly leveraged by organizations for identification and verification purposes. The data derived from these measurements, known as biometric data, is collected and analyzed through automated systems, making it a powerful tool for enhancing security and streamlining processes.[1]

 

In recent years, the use of biometric technologies has expanded significantly, with facial recognition, voice biometrics, and fingerprint scanning becoming the most commonly implemented methods. However, as these technologies become more widespread, they also raise significant privacy and ethical concerns. To address these issues, several U.S. states have enacted laws that establish guidelines for the collection, use, and protection of biometric data. Understanding these regulations is critical for organizations that rely on biometric technologies.[2]

 

Key U.S. Biometric Laws

Three states—Illinois, Texas, and Washington—have taken the lead in regulating the use of biometric data through comprehensive legislation. While these laws share common goals, they vary in their specific requirements and levels of stringency.

 

Illinois’ Biometric Information Privacy Act (BIPA) (740 Ill. Comp. Stat. 14/1 et seq.)[3]

Illinois’ BIPA is considered the most stringent biometric data law in the U.S., imposing significant obligations on organizations that handle biometric data. Key requirements include:

• Providing individuals with written notice about data collection and its purpose.
• Obtaining explicit written consent before collecting or using biometric data.
• Maintaining a publicly available data retention and destruction schedule.
• Prohibiting the sale, lease, or trade of biometric data.
• Ensuring robust data security measures.

BIPA has created substantial liability exposure for companies, as non-compliance can result in class-action lawsuits and hefty penalties.

 

Texas’ Capture or Use of Biometric Identifier Act (CUBI) (Tex. Bus. & Com. Code § 503.001)[4]

Texas’ CUBI is less stringent than BIPA but still establishes important compliance requirements for the commercial use of biometric data. These include:

• Providing notice at the point of data collection.
• Adopting a clear data retention schedule.
• Implementing proper data security practices.
• Restricting the sale, lease, or disclosure of biometric data.

Unlike BIPA, Texas’ law does not include a private right of action, meaning individuals cannot directly sue for violations.

 

Washington’s Biometric Statute (Wash. Rev. Code § 19.375.010 et seq.)[5]

Washington’s law focuses on the enrollment of biometric data for commercial purposes. Its requirements include:

• Notifying individuals at the time of collection.
• Obtaining consent before collecting or using biometric data.
• Adopting a retention schedule and destruction policy.
• Prohibiting the sale, lease, or disclosure of biometric data.

Like Texas’ CUBI, Washington’s statute emphasizes compliance without granting individuals the right to bring private lawsuits.

 

Conclusion

As biometric technologies become more integrated into everyday life, organizations must navigate a complex regulatory landscape to ensure compliance. Illinois’ BIPA, Texas’ CUBI, and Washington’s biometric statute each set critical standards for the use and protection of biometric data, reflecting a growing focus on safeguarding individuals’ privacy. Businesses must stay informed about these laws and implement robust compliance measures to mitigate legal risks and maintain public trust in their biometric systems.

[1] What Is Biometrics?, Biometrics Institute, https://www.biometricsinstitute.org/what-is-biometrics/
[2] Biometric Technology: Legal Risks and Best Practices, Thomson Reuters (July 22, 2024), https://www.thomsonreuters.com/en-us/posts/corporates/biometric-tech-use/.
[3] Illinois’ Biometric Information Privacy Act (BIPA)
740 Ill. Comp. Stat. 14/1 et seq. (2008), https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004
[4] Texas’ Capture or Use of Biometric Identifier Act (CUBI)
Tex. Bus. & Com. Code Ann. § 503.001 (West 2023), https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm
[5] Washington’s Biometric Statute Wash. Rev. Code § 19.375.010 et seq. (2023), https://apps.leg.wa.gov/RCW/default.aspx?cite=19.375