The pandemic made collecting biometrics and other biological information increasingly necessary, but are individuals giving away their fundamental privacy rights in the process—the right to their own biological data?
Biometric privacy and regulations context
Biometric data is any information that can identify an individual. Fingerprints, retinal scans, facial recognition, typing cadence, voice patterns, signatures, DNA scans, and even behavioral patterns such as web search histories are all examples of biometric data. The information is often used for security purposes, as it is challenging to fake or spoof because of each individual’s unique genetic patterns. Biometrics has become common for crucial transactions, such as accessing information, buildings, and financial activities. As a result, biometric data needs to be regulated as it is sensitive information that can be used to track and spy on individuals. If biometric data falls into the wrong hands, it could be used for identity theft, fraud, blackmail, or other malicious activities.
There are a variety of laws that protect biometric data, including the European Union’s General Data Protection Regulation (GDPR), Illinois’ Biometric Information Privacy Act (BIPA), California Consumer Privacy Act (CCPA), the Oregon Consumer Information Protection Act (OCIPA), and the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). These laws have different requirements, but they all aim to protect biometric data from unauthorized access and use by forcing companies to ask for consumer consent and informing consumers of how their information is being used. Some of these regulations go beyond biometrics and cover Internet and other online information, including browsing, search history, and interaction with websites, applications, or advertisements.
Businesses will need to ensure that biometric data is adequately protected by implementing reasonable security measures, such as encryption, password protection, and limiting access to authorized personnel only. Companies can also follow best practices to make data privacy law compliance easier, such as outlining all areas where biometric data is collected or used, determining who needs to be notified, creating clear policies on the collection, use, and retention of data, and constantly updating policies and practices. Additionally, firms should take care with release agreements and ensure they don’t make essential services or employment conditional upon releasing biometric data.
Unfortunately, companies are not always strictly compliant regarding data privacy. For example, the fitness and wearables industry collects thousands of health information daily, from the number of steps (including geolocation tracking) to heartbeats per minute. It’s a known practice to use biometric data collected to target ads and sell products to consumers. Another sensitive issue when it comes to data privacy compliance is home diagnostics. Companies may receive consent from customers to use their genetic and other intimate health information for research purposes, giving them a wide berth in what they can do with the data once they obtain it. 23andme, which maps consumers’ ancestry based on their DNA, made millions of dollars by selling the behavioral, health, and genetic insights it had gathered to Big Pharma and biotechnology firms.
Implications of biometric privacy and regulations
Wider implications of biometric privacy and regulations may include:
- More laws that further detail biometric data capture, storage, and usage, particularly for public services such as transportation, mass surveillance, and policing. However, this doesn’t mean that all jurisdictions will have their own biometrics privacy regulations.
- More big tech companies being monitored and fined for unauthorized use of data.
- Industries that collect high-volume data daily, such as security and fitness providers, being required to regularly report on how this data is being stored and used.
- The rise of more data-intrusive industries like biotech and genetic services firms that will require more biometric information.
Questions to comment on
- What are the products and services that you consume that require your biometrics?
- How do you protect your biometric information online?