Biometric Information Privacy Laws and the Increasing Regulation of Facial Images
By: Webb McArthur, Hudson Cook and Megan Nicholls, Hudson Cook
In the increasingly broad landscape of laws impacting consumer reporting agencies, biometric information privacy laws are an area of recent development. Currently, Illinois, Texas, and Washington require consumers to consent to the collection of biometric information, in addition to imposing data security requirements on businesses processing biometric information. The biometric information regulated by these laws includes certain biometric identifiers, like fingerprints, handprints, and retina and iris scans, but it also includes scans of face geometry. Considering developments in the area of facial recognition technology enabling the automated processing and analysis of images, the collection of photographs on individuals may raise concerns under biometric information privacy laws. Consumer reporting agencies and other data providers and users need to consider critically whether these laws impact their data processing, particularly where they process photographic scans or images.
The Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., as well as the Washington Biometric Privacy Law, Rev. Code Wash. § 19.375.010 et seq., make clear that photographs on their own are not biometric identifiers regulated by the laws, but facial geometry data points gleaned by automated processing from these photographs would be subject to these laws. A 2017 case out of Illinois, Monroy v. Shutterfly, Inc., 2017 WL 4099846 (Dec. 21, 2017), first raised these questions under the BIPA, which provides for a private right of action. Similarly, in Patel v. Facebook, Facebook paid $550 million to settle class allegations that it violated the BIPA by deploying facial recognition software on images through its social media site.
But legal risks are not limited to the BIPA. The Texas Attorney General recently sued Meta (formerly known as Facebook) for violating the Texas law, the Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001, alleging that the company had not properly obtained consent required by the law. The suit alleges that Meta stores and resells biometric identifiers in the form of face geometries.
Other states, such as New York, are currently exploring biometric privacy as well. Much of the new legislation rely on Illinois, Texas and Washington law components, including disclosure and consent and data retention limitations. With many state legislators wrapping up sessions in the next few months, businesses should be paying attention as the compliance requirements imposed by the laws in this area may become more broadly applicable.
The California Consumer Privacy Act and other state laws in Virginia, Colorado, and Utah also regulate biometric information by categorizing certain information as personal information under the laws. Unlike the Illinois, Texas, and Washington biometric privacy laws, however, the broad consumer privacy laws include exemption for data regulated by the FCRA and other federal laws. Even with these specified exemptions, consumer reporting agencies gathering, maintain, storing or processing photographs should be mindful of these laws and may need to consider the precise language of applicable exemptions to consider whether they apply to information at risk of being characterized as personal information under those laws. In particular, special consideration should be given to products which assist with or provide automated processing of photographs as either the core product functionality or as an ancillary benefit.
States also restrict the scanning and use, including storage, of driver’s licenses. These laws commonly permit certain uses, including identity verification, age verification, legal compliance purposes, or other uses with individual consent. Businesses using scans, photographs, or other images of driver’s licenses may need to consult these state laws to confirm their uses are permitted by these laws.
Finally, although no federal law specifically regulates biometric information, UDAP prohibitions, including under section 5 of the FTC Act, would apply to the processing of biometric information. In this vein, businesses need to keep in mind data processing impact assessments are critical to assess UDAP risks, particularly as they relate to disclosures and consents. The FTC has signaled its attention in this area, taking action against Everalbum, a photo and video storage application. In line with state laws in this area, the FTC required Everalbum to provide a disclosure, separate and apart from any privacy policy or terms of use (such as on a webpage), obtain “affirmative express consent” prior to collecting any biometric information, and delete information about its app’s users that had requested account deactivation.
The activity at the state and federal levels shows that consumer privacy is top of mind and businesses should proactively assess their compliance requirements. As a starting point, businesses should determine, potentially as part of the business’s data inventory process, whether facial photographs are stored, processed, used or analyzed as part of any of the business’s process. If such photographs are part of the business’s data inventory, then the business should closely examine all processes related to the photographs. As is key with most compliance initiatives, knowing what data the business holds (including images) and how that data is used are key questions to answer when determining risk.
Data processing impact assessments meant to assess process changes are useful tools for businesses to consider the risks, including legal compliance risks, associated with business activities involving such data. Such assessments not only guide businesses in deciding whether particular processing activities are functional and necessary, but they also help businesses construct appropriate guardrails to account for any changes to processing activities. Particularly applicable to biometric identifiers are requirements related to disclosure and consent, data retention policies (and whether such policies need to be publicly accessible), and appropriate controls for securing and destroying the data. These guardrails should be constructed with the assistance of experienced legal counsel and knowledgeable compliance professionals and periodically reviewed to ensure compliance with the rapidly evolving legal landscape.
Celebrating its 25th anniversary in 2022, Hudson Cook, LLP is a national law firm representing the financial services industry in compliance, privacy, litigation, regulatory and enforcement matters. From our 13 nationwide offices, we leverage the knowledge of our attorneys, who understand the complex and interrelated laws and regulations applicable to the consumer and commercial financial services and banking industries.
Hudson Cook, LLP is a sponsor of the 2022 CDIA Law & Industry Conference. To register for the conference, visit our event page