Privacy Regulatory Trends: Personal Information and Biometric Data Privacy Laws

At the core of every national, global, and industry-specific privacy law are protections for individuals’ personal information (PI) and personally identifiable information (PII). Just as the definitions of PI and PII continue to expand and evolve, the laws to protect them do too. Recently, several bills have modified definitions of PI to include medical information, and to separately define biometric data and genetic data, essentially building biometric data privacy laws into existing legislation.

You may have heard of Illinois’ Biometric Information Privacy Act (BIPA), biometrics data privacy law that stipulates that no private entity can collect, capture, purchase, receive, or obtain biometric identifiers or biometric information.

BIPA was enacted in 2008 and regulates the collection and storage of biometric information, including identifiers such as retinal scans, iris scans, fingerprints, palm prints, voice recognition, facial-geometry recognition, DNA recognition, gait recognition, and even scent recognition, according to The National Law Review.

With mobile phone applications, Internet of Things, and contactless payments now part of our everyday lives — each using a form of biometrics — our PI footprints have greatly expanded.

With mobile phone applications, Internet of Things, and contactless payments now part of our everyday lives — each using a form of biometrics — our PI footprints have greatly expanded.

“While convenient, highly accurate, and efficient, use of biometric technology at work brings about a slew of legal and regulatory-compliance issues,” covers The National Law Review.

To date, Arkansas, California, New York, Texas, and Washington have passed their own biometric statutes or expanded laws to include biometric identifiers, although none as stringent as Illinois.

Biometric data and privacy go hand-in-hand. Consider the recent Facebook privacy lawsuit over facial recognition that led to a $650 million settlement — one of the biggest private lawsuits ever.

The lawsuit was based around users who alleged the company created and stored scans of their faces without permission, according to CNET. “Biometrics is one of the two primary battlegrounds, along with geolocation, that will define our privacy rights for the next generation,” stated Attorney Jay Edelson, who filed the Facebook lawsuit.

Genetic information is another privacy topic gaining widespread visibility since the Genetic Information Nondiscrimination Act (GINA) took effect back in 2009. There is now new guidance around employers and their employees getting vaccinated for COVID-19 and needing to comply with GINA.

From Mondaq, “Employers should keep in mind that if they obtain vaccination information from their employees they must keep this information confidential pursuant to the ADA…and the Genetic Information Nondiscrimination Act.”

Why are States Redefining Biometric and Genetic Data?

As the collection of biometric information advanced, so too did the technologies capable of collecting information as well as the potential applications of collecting such data.

At the time the Federal Trade Commission (FTC) and the Department of Commerce National Telecommunications and Information Administration (NTIA) came to include “biometric information” in legislation, rather than attempting to define a moving target, their guidance concerned the use of biometric information to uniquely identify or authenticate individuals.

This intent is mirrored in many state amendments to the definition of personal information, such as Arkansas’ HB 1943 which defines it as:

“‘Biometric data’ means data generated by automatic measurements of an individual’s biological characteristics, including without limitation: Fingerprints; Faceprint; A retinal or iris scan; Hand geometry; Voiceprint analysis; Deoxyribonucleic acid (DNA); or Any other unique biological characteristics of an individual if the characteristics are used by the owner or licensee to uniquely authenticate the individual’s identity when the individual accesses a system or account.”

Privacy leaders must navigate a patchwork of laws and regulations when performing incident risk assessments.

Whereas North Carolina’s breach notification law serves up a definition of “personal information” that simply includes “biometric data” with no further clarifications.

Concerning the continued adoption of biometric information as a unique dataset within personal information, this year the New York Times writes of BIPA as “The Best Law You’ve Never Heard Of” to express the current reclamation of personal data privacy for consumers.

As more states seek to regulate and protect biometric data, companies that collect, use and store biometric data should consider creating and implementing policies and procedures that incorporate the appropriate security, notice, and consent requirements, even if they are not currently required to do so by law.

However, until all 50 states amend their definitions of personal information to include biometric data, privacy leaders must navigate a patchwork of laws and regulations when performing incident risk assessments.

Determining Risk of Harm

Consider this: “When determining whether affected individuals require notification following an incident involving personal information, one of the most important factors to evaluate is whether or not the applicable laws provide for a consideration of risk of harm to those affected individuals, and what the standard of harm entails,” writes Kelly Burg, lead product manager at RadarFirst, who wrote an article, “Risk of Harm Standards in Breach Notification,” in Risk Management. Burg outlines key nuances in U.S. state and global risk of harm standards, as they vary by state and region.

The definitions of personal or sensitive information are broadening, especially in Europe. This information can include an individual’s political affiliations, sexual orientation, or religious beliefs — data not currently specified as regulated under U.S. state law, observes Burg.

If your organization is keeping track of changing definitions of PI without the help of intelligent incident response software, you may be exposing yourself to inefficiency and risk.

For Radar® Privacy users, note that the intelligent incident response solution updates regulatory definitions of information that may be included in data breaches, including biometric and genetic information as standardized within HIPAA.

Privacy advocates are demanding stronger biometric privacy protection across the country, while businesses and the tech industry view biometric laws as an unnecessary deterrent at the time of innovation and the increasing need to rely on biometric data to authenticate customers and employees.

At a state-by-state level, definitions of biometric information vary, as do the notification obligations and timelines of data breaches that involve personal biometric information.

If your organization is keeping track of changing definitions of personal information without the help of intelligent incident response software which streamlines risk assessment and provides consistent and efficient obligations for breach notification laws, you may be exposing yourself to inefficiency and risk.