Biometric data laws are spreading across US

To enhance user experience, virtual and augmented reality (VRAR) businesses are focusing on the collection of biometric data. While many users seem unfazed, and even welcome this if it improves the experience, legislators in various states are beginning to pay attention to the collection of biometric data streams in relation to VRAR.

With a recent wave of litigation under the Illinois Biometric Information Privacy Act and a handful of other states considering similar legislation, VRAR businesses in California and elsewhere would be wise to begin to take steps to address the privacy risks and legal requirements associated with the collection, use, retention and disclosure of biometric data.

Illinois and Texas already have biometrics laws on the books, while Alaska (House Bill 72), Arizona (Senate Bill 1373), Connecticut (House Bill 5522), Massachusetts, Missouri (House Bill 201), Montana (House Bill 518), New Hampshire (House Bill 523), and Washington state (House Bill 1493) are considering proposed biometrics laws. In Massachusetts, current proposals under debate would add "biometric indicator(s)" under the state's current data privacy and security law (MA General Law Chapter 93H and 201 CMR 17.00). Arizona and Missouri's proposed bills are limiting the collection of student biometric data without parental consent.

The California Legislature has attempted to regulate the collection of biometric data in the past, and may look to the proposed legislation as examples for drafting biometric data statutes in the future.

Biometric Data Defined

The VRAR industry collects physical, physiological and behavioral biometric data streams through eye tracking, facial recognition, brainwaves and other methods. The Illinois and Texas laws define biometric data as limited to characteristics such as retina or iris scans, fingerprints, scans of hand or face geometry, and voiceprints. The proposed biometrics laws of some states are much broader, with Montana expanding their definition to include behavioral characteristics.

Though the wide range of biometric data collected by the VRAR industry may not be fully captured by the current or proposed biometric laws in the United States, multinational VRAR businesses may be subject to broader international laws, such as the EU's upcoming General Data Protection Regulation (GDPR). With implementation on May 25, 2018, this regulation defines biometric data as including physical, physiological and behavioral types of data. The fines for noncompliance with such laws can be very high (fines for violation of certain GDPR provisions can be up to four percent of a company's global annual turnover).

What Are the Privacy Risks?

The collection of biometric data poses privacy risks and challenges for the VRAR industry similar to the privacy risks presented by genetic data handling.

Lack of education by consumers about biometric data is an issue, as the average user will not be accustomed to the types of data being collected. The challenge for the VRAR community is: how do you educate consumers about the risks of biometric data handling when the risks have not been fully explored yet? One thing is for sure: long privacy policies are not the answer.

Furthermore, it can be challenging to describe what a consumer is actually consenting to. Consumers might believe they are providing biometric data volitionally, but many biometric data streams are autonomous. This could present potential issues invoking the Federal Trade Commission's enforcement for unfair or deceptive acts or practices. Thus, companies should be very transparent and explicit about their data handling practices to avoid enforcement actions.

Much like genetic data, most biometric data has a high degree of immutability - that is to say, most biometrics can't be changed. Changing your fingerprint is not possible, for example. Some of the main concerns with stolen biometric data include authentication and identity theft. While behavioral and physiological types of biometric data can change over time, such as learning how to write in a different style, there may still be parts of that data that are unique to certain individuals. Therefore, VRAR companies will have an even greater need for secure systems, privacy by design and clear policies.

It can also be challenging for biometric technologies to incorporate a notice and consent requirement within an interface. For example, it's not clear how to provide notice and consent to consumers when using targeted advertising that is based on facial recognition technology in the retail environment - the Connecticut Legislature is currently working on this precise issue. The VRAR industry will need to consider both legal and practical solutions to overcome this challenge.

The challenges surrounding collecting and utilizing children's biometric data should also be a concern for the VRAR industry. VRAR companies will need to ensure that they comply with the FTC's Children's Online Privacy Protection Act and any other laws regarding children's online privacy.

Biometric data may be valuable to law enforcement and other government agencies, and can be subpoenaed or requested by warrant. To reduce the amount of data that can be requested, businesses will want to think about data minimization and anonymization.

Legal Requirements

Depending on whether your business is a multinational corporation or domestic to the United States, it may be subject to many different requirements in handling biometric data. For multinational businesses, a good place to start is ensuring that data handling is compliant with the EU's GDPR, as the EU is considered one of the most stringent data protection regimes in the world and many other countries now model their data protection laws after the GDPR.

In the United States, it remains to be seen in what form the proposed state laws will be adopted. However, litigation under the Illinois law moves forward and will likely increase because the law grants consumers a private cause of action, with statutory awards of $1,000 dollars per each negligent violation, and $5,000 per each intentional or reckless violation.

Under the Illinois law, the Texas' biometric law, and the other proposed state laws, businesses are generally required to: provide notice and obtain written consent from consumers prior to collecting their biometric data, post a publicly available written retention policy that meets statutory requirements, and only disclose biometric data for specified and limited purposes. To comply, VRAR companies will need to take certain steps, including, but not limited to, conducting gap assessments and privacy impact assessments, obtaining consent or notice, as well as managing vendors' handling of biometric data.

The VRAR industry has an opportunity to take a proactive approach to biometric data handling as laws develop in this area. Privacy and security can be competitive advantages, especially in a physical world where many see data privacy as eroding. By thinking about the legal and practical requirements now and addressing privacy in the product design stage, VRAR businesses can increase their speed to market, build trust with consumers and mitigate future reputational risks.