Our modern technology landscape has created a massive data ecosystem that is constantly growing with more types, categories, use cases, storage and collection capabilities. In recent years we’ve seen the advent of a particular subset of PII, (Personal Identifiable Information), biometric data. Biometrics has become intertwined with our daily lives as a form of identity recognition, authentication, access control and even common activities such as tracking one’s fitness goals. From wearable biometrics such as smartwatches to opening your banking app with Face ID or airports utilizing retina scans for identity recognition, the use cases for biometric technologies continues to develop every day. Just in the past few weeks Washington state legislators have been debating biometric identity verification for the purchase of age-restricted products such as alcohol. The specific biometric technology in this case is a palm scan for identity recognition.
As with any emerging technology, the questions of data privacy, security, and regulation are hot topics. In Europe, the General Data Protection Regulation, (GDPR) has set the stage for data privacy regulations, while the U.S. has yet to enact federal legislation related to biometric technology. Rather, it is left to the states to decide how to navigate the protection of this data type. The state of Illinois became a pioneer in digital security with the Biometric Information Privacy Act (BIPA, 2008). The legislation regulates private entities’ collection, usage, and storage of biometric data. Interestingly, the act does not apply to government entities.
BIPA has remained front and center of technology regulation debates since its inception, with a plethora of lawsuits against organizations and businesses for violating BIPA. Specifically, the lawsuits center on the retention, collection, disclosure and destruction of individual's biometric data. In 2022 alone there were over 250 BIPA lawsuits and over 180 BIPA suits have been filed in the first six months of 2023. The early 2023 case Cothron vs. White Castle Systems exemplifies the ever-evolving nature of BIPA. In this scenario the Illinois Supreme Court held that if a company scans, or in any way transmits biometric data without an individual’s prior informed consent, the company is liable for violations each time this data is scanned or transmitted. Meaning if a fingerprint is scanned 1,000 times for building entry, the business will be liable for financial and/or statutory penalties 1,000 times for that one individual. If there are several individuals the number is only amplified. The financial penalties are severe as we’ve seen with the BANSF Railway case in which a jury fined the company $5,000 for each of their 45,600 violations of BIPA. While this particular decision, which would have been a $228M penalty, was thrown out on appeal, BANSF Railway did reach a settlement on September 18th, 2023. Terms of the settlement have not yet been disclosed.
Thus, it is apparent that biometric data, while convenient, is also a double-edged sword with potential negative by products. On the one hand it is user-friendly, convenient, highly accurate, has a lower risk of identity theft and provides an enhanced level of security. However, there is also great risk associated if biometric data is compromised, and this once greater level of security is shattered as a result. Think about it this way: unlike quickly changing a breached credential such as a PIN or passcode, once an individual’s Face ID or fingerprint is breached there is no way to update or change those biometric identifiers as you would a passcode. As a result, your immutable facial recognition, fingerprint pattern or retina scan, that is most likely linked to other accounts and devices, is now compromised for perhaps a lifetime. This invasion of privacy is almost toxic as one occurrence can have an irrevocable domino effect on an individual’s digital, and potentially physical, security. Biometric data at its core is more biological, behavioral and personal than other types of Personal Identification Information (PII) such as birthdate or blood type.
We are also seeing the onset of biometric encryption as a type of encryption that uses biometric data as a key to protect sensitive PII such as medical records or financial information. Therefore, further exacerbating the risk of using biometric technologies. One may ask, when do the negatives outweigh the positives?