4 Legal Insights into Biometric Privacy Laws and Regulations

Stevie Carpenter
Published 02/28/2024
Share this on:

Insights into biometric privacy lawsBiometric data represents an exciting opportunity in technology. It has applications across many sectors. Financial institutions, social media, education, and healthcare, to name but a few.

As with any personal data, there are privacy concerns to consider. At the time of writing, there are no nationwide biometric privacy laws. However, state and federal laws around privacy may apply to your use of biometrics. Organizations must be aware of their legal responsibilities when handling such data.


What Are Biometrics and Why Are They Important?

We each have unique physical characteristics and behaviors that make us individuals. When organizations use those characteristics to identify us, they’re known as biometrics. Those seeking to verify our identity with biometric data often use technology to do so.

One such example of this is using your fingerprint to unlock your smartphone. It’s a secure method for verifying your identity, as fingerprints are always unique. Even identical twins, who share the same DNA pattern, have different fingerprints. This is because fingerprints begin to form early during pregnancy. Subtle differences in the womb cause each twin’s fingerprints to develop separately. This results in similar yet unique fingerprint patterns.

Fingerprint identification is useful for more than unlocking your phone. You may use it to log into many other services using your phone’s fingerprint scanner. You can use it to access anything from your online banking to a VoIP telephony service. It’s also used to ensure secure access to physical spaces such as an office.

It’s not just fingerprints. There are many other biometric markers that organizations use to verify identities. Each of them is incredibly difficult, if not impossible, to forge.

You may be aware of the use of AI with biometrics. Facial recognition technology can use AI to identify people in a crowd. It can even recognize the way people move. Facial surveillance technology is somewhat controversial. This brings us to the legal ramifications of using biometrics.

Organizations must compare biometric observations to stored biometrics in order to be useful. Stored data may be subject to personal information protection law. There are a host of privacy laws and regulations governing the use of personal data. Some states have specific biometric privacy laws that provide protection for residents.


4 Legal Insights Into Federal Biometric Privacy Laws

There are no specific biometric privacy laws that cover the whole of the US. However, biometric data is covered by a host of federal laws. These laws will inform your decisions around cybersecurity, privacy, and consent.

Besides ensuring you are compliant with the law, it’s crucial that businesses address any liability concerns in their privacy policy. This also clearly demonstrates the steps you are taking to protect data and creates trust and transparency with customers.

To help businesses draft comprehensive privacy policies that cover biometric data protection, it’s advisable to consider using a reputable privacy policy template.

Let’s now examine how the use of biometrics interacts with federal legislation.



Want More Tech News? Subscribe to ComputingEdge Newsletter Today!



SCA Protects the Privacy of Stored Communications

The Stored Communications Act (SCA) was enacted as part of the Electronic Communications Privacy Act of 1986 (18 U.S.C. §§ 2701 to 2713). It’s intended to protect the privacy of electronic communications whilst in storage. One example of this would be emails held on a server, or subscribers to email services.

Violations of this law invite legal action. The act allows plaintiffs to sue for monetary damages, injunctions, and legal costs.

Although the SCA doesn’t specify biometrics, they’re certainly covered in the form of a stored email. Organizations may need to send biometric data via email from time to time. It also covers remote computing services. The SCA demands they take precautions to protect these communications when stored. If your organization holds emails containing biometric data, then make sure you have robust communications security protocols in place.

It’s also worth mentioning that biometrics don’t only represent a legal risk. You can use biometrics to boost the security of your systems. That includes stored communications. Biometrics can be an ally to help organizations avoid breaching biometric privacy laws.


GLBA Protects Customer Information Privacy

The Gramm–Leach–Bliley Act (15 U.S.C. §§ 6801-6809, §§ 6821-6827(GLBA)) of 1999 governs the way financial institutions handle customer data. It’s also known as the Financial Services Modernization Act. It changed the way banks and other financial services could do business in many ways. For example, it meant they could act as brokers for insurance products, something that was forbidden before the GLBA.

Biometrics are an incredibly effective way to verify payments. Thus, they play a vital part in the security arrangements of financial institutions. Millions of transactions are verified using smartphone face or fingerprint scanners every day. Consumers of financial services may also use voiceprints to verify their identity when speaking to their banks on the phone.

The GLBA covers “personally identifiable information”. As we’ve discussed, most biometrics are unique to the individual. As such, it’s easy to argue that they’re personally identifiable pieces of information. The act requires financial institutions to explain how they use this data. It also asks that they protect it from cybersecurity threats.

Financial institutions use digital systems for all aspects of their business. They often have to analyze large data sets, which may include biometric data. They need robust systems in place to ensure they don’t fall afoul of biometric privacy laws. This sort of work can be undertaken using a Hadoop cluster. They’re a low-cost and secure way of doing large-scale analysis.


HIPAA Protects the Privacy of Patient Health Information

The Health Insurance Portability and Accountability Act (HIPAA) came into being in 1996. It was intended to improve health care coverage and delivery for Americans, but it’s now a regime of national standards for the protection of patient’s private health data. That part of the act is the HIPAA Privacy Rule of 2002.

The HIPAA Privacy Rule demands organizations handling medical records put safeguards in place. The kinds of organizations covered by HIPAA are health care providers and insurers. These organizations now store most medical data digitally. Healthcare cloud computing is a growing trend, since it can help improve efficiency and lower costs. The medical data is known as Protected Health Information (PHI). Biometrics fall under the PHI category.

Under the HIPAA Security Rule (2009), organizations must protect PHI. Failure to do so could result in a data breach. Such breaches can expose organizations to legal action, damages for plaintiffs, and reputational harm. All organizations must consider cybersecurity risk management. This is especially true when biometric data is involved. They should conduct an analysis of their security protocols around biometrics.

Health data is often used for medical research. If that data is sufficiently anonymized, then researchers may use it. There are two methods of de-identification under the Privacy Rule.

A qualified expert makes a formal determination that data is sufficiently de-identified.

  1. Individual identifiers are removed from the data in question. Also, the data cannot be used in isolation to identify an individual.
  2. If you require personal information, then express written permission must be sought. In the case of biometrics like DNA, it’s hard to see how it could easily be anonymized as it’s unique to the individual. That’s when steps must be taken to de-identify the data, separating DNA details from any other personal information, such as a name. Digital records of DNA can then be used by researchers without fear of violating HIPAA.


COPPA Protects the Privacy of Children’s Online Information

The Children’s Online Privacy Protection Act (15 U.S.C. 6501–6505), known as COPPA, entered into law in 1998. It imposes requirements on online services aimed at children under 13 years old. It also covers online entities that knowingly collect data from children.

Many sectors may find children’s biometric data very useful. Educational institutions can use it to grant access to their online services. Games designers can use biometrics for age verification or as part of their games. Eye-tracking, for example, is important for VR gaming.

There’s a lot of concern about children’s use of social media. There have been efforts to create online spaces specifically aimed at children, a bubble where children can safely interact with each other. Facial recognition software is one idea for verifying the age of users of such services. This helps to prevent older people from interacting with children on these services.

Facial biometric data is likely covered by COPPA. Thus, companies that wish to use this data must do so fairly and openly. They can’t gather biometric data without informing users when they collect it and how they use it. Under COPPA, this applies when the users are aged twelve and under.


Understanding State Biometric Privacy Laws

We’ve already mentioned that there are no nationwide biometric privacy laws, but some state legislatures have passed laws to tackle the use of biometric information. Other states have propositions for biometric privacy laws, but they’ve yet to pass.

  • The Illinois Biometric Information Privacy Act (BIPA): A set of requirements for entities using and storing biometric data. It provides a private right for legal action for entities that break the law.
  • The Texas Capture or Use of Biometric Identifiers Act (CUBI): This legislation prohibits the sale, lease, or disclosure of biometrics to a third party. In Texas, biometrics must have the same level or protection as any other private data.
  • Washington state’s H.B. 1493: Organizations must provide notice to an individual to gather biometrics. They must also obtain consent. There must be a process to prevent the use of biometrics for commercial purposes. Privacy advocates see H.B 1493 as weaker than BIPA or CUBI. This is because it doesn’t cover facial recognition data or voice prints.


Final Thoughts

If your organization makes use of biometrics, you can see it’s a tricky network of law to navigate. The key points are as follows. Ensure your professional communications are stored securely, especially when containing biometrics. Inform individuals when you collect biometric data and tell them how you’ll be using it. It’s best to seek express consent whenever practical. Lastly, avoid sharing biometrics with any third parties.

Biometric privacy laws are still evolving and expanding. Keep abreast of developments at both the state and federal levels.


Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.