What is biometric data and how is it legally protected?

Biometric identification systems are becoming more common and data points are being tracked more regularly with the rise of new devices in the video game and VR industries. What is biometric data, though, and is this data currently legally protected?

What is biometric data?

“Biometrics” is the primary term for body measurements and calculations involving those measurements. They’re metrics related to human characteristics and they’re typically identified and utilized on an individual basis.

Biometric data points can include things like:

  • fingerprints
  • DNA
  • face recognition
  • palm prints
  • iris recognition
  • hand geometry
  • retina
  • body odor
  • palm veins
  • ear form
  • keyboard strokes
  • gait analysis
  • voice
  • body geometry

Note that there’s a difference between biometric data and so-called “soft” biometrics. Soft biometrics are traits that are physical, behavioral or other identifiable characteristics but they aren’t as distinctive or permanent as the data points listed above. Things like height, gender, hair color and other identifiers are not always as unique or reliable, especially because some soft biometric data points can be faked.

Biometric data is currently primarily used for identification but also for authentication. Police have been fingerprinting people for over a century and have had biometric databases since the ’80s. Use of biometric data isn’t new, but use in the consumer space (for example, using a fingerprint to unlock a device) is relatively new and has grown rapidly within the past decade.

Biometrics began to enter the video game scene more heavily with the launch of Microsoft’s Kinect in 2010, along with other peripherals like the Nintendo Wii Balance Board (released in 2009).

How are biometrics currently legally protected in the United States?

The growing popularity of wearables, like Fitbit (who released their first tracker in 2013), and the increasing use of biometrics has brought to light many questions about biometrics. Especially as more commercial uses have been noted, like MasterCard’s acceptance of selfies in lieu of passwords in 2016.

Right now, there are a few standard rules of biometrics usage to keep in mind in the US but for the most part, laws regarding biometrics have been handled on a state-by-state basis. A few examples:

  • In California and Delaware, websites focusing on K-12 schools are not allowed to sell the biometric data of students and are restricted in using the data.
  • In North Carolina and West Virginia, biometric data of students may not be kept in student data systems.
  • North Carolina also has the Identity Theft Protection Act that lists biometric data as an element that constitutes personal information – any entity conducting business in NC and gathering data about NC residents must take measures to protect the information against unauthorized access, like proper disposal of the information.
  • Illinois explicitly prohibits the collection of biometric data from students without parental consent
  • Illinois also introduced the first Biometric Information Privacy Act (BIPA) in 2008, followed shortly by Texas in 2009. BIPA requires informed consent of the collection of biometric data prior to collection, prohibits companies from profiting from biometric data, permits only a limited right to disclose the data, mandates protection obligations and retention guidelines, and creates a private right of action for any individuals harmed by violators of BIPA.
    • Alaska and Washington are also considering bills with similar provisions to BIPA.

Utah is unique in its use of biometrics as it requires applicants for non-REAL ID driver licenses to provide fingerprints and California and Colorado also fingerprint all driver license applicants.

Walt Disney World is the United States’ single largest public commercial application of biometrics currently.

It is also worth keeping in mind that different countries are utilizing biometrics in different ways. The list of countries using and applying biometrics is growing and other countries are using biometrics in vastly different ways. For example, Chinese police now have sunglasses with facial recognition built into the glasses so they can be used to scan travelers and citizens.

What are some of the legal issues on the horizon for biometrics?

Biometric data is inherently public, compared to other systems used for unlocking devices – like passwords. And the use of data about biometric data has been largely unregulated to date. Biometric data is a complex issue involving privacy, consent, security and many more areas of growing importance.

At the time of writing, it is legal in 48 states in the US for software to identify you using images taken without consent while you’re in public. The exceptions have been noted above – Texas and Illinois do not allow biometric data in commercial usage settings, although it’s still legal for law enforcement to utilize biometrics.

It is important for developers, with the rise of VR and eye tracking mechanics, to know the basics on what has and hasn’t been established yet in this space. Microsoft, for example, has already led the way by self-regulating ever since the launch of their Kinect and had very limited uses of the software on an opt-in only basis. But app developers, for example, who utilize features of phones like Apple’s Touch ID will need to stay on top of these laws and regulations too – especially in terms of keeping the data and sensitive information secure.

To learn more about how you might be affected by biometrics data and make sure your company is protected in this new space, contact us.