Data has been at the forefront of innovation in the modern tech world. Apart from harnessing data for development, what is equally important is that companies prioritize understanding and protecting consumers’ data. But even with the best minds and technologies at use, organizations are prone to occasional lapses due to the complexity of data privacy laws.

Last week, an Illinois-based customer sued McDonald's for collecting their biometric data at its new AI-powered drive-thru windows. The AI-based system used voice-recognition software instead of human servers and also collected the customers' voiceprints in the process.

The lawsuit claims the system violates the state’s Biometric Information Privacy Act (BIPA) as the company did not seek user consent before collecting their voiceprints. Such suits can invite heavy penalties to companies, both in terms of monetary loss as well as reputational damage.

Face and voice recognition systems have now become ubiquitous in our everyday lives, and due to this fact, we often overlook how these smart devices and technologies are gathering data that is unique to an individual.

We have cellphones that use facial recognition and fingerprints, while health monitoring devices constantly keep track of our vitals, sleep, health, and exercise patterns. Our biometric data is frequently collected by businesses and employers for security and authentication purposes. And the ongoing Covid-19 pandemic has driven the need for touchless operations, further increasing the adoption of such technologies.

What is biometric data?

Biometric data consists of biological markers or indicators that allow a person to be identified. Biometric identifiers are truly unique to an individual and a convenient means of authenticating individuals.

Biometric data can be classified as physiological and behavioral data. Physiological data includes fingerprints, facial images, retinal scans, health data, etc., while behavioral data comprises behavioral patterns like typing cadence, gait patterns, signature, voice, etc.

Though it sounds simple in theory, the way some of the biometric laws have been formulated sometimes overlap or contradict one another. For instance, while the states of Illinois, Texas, and California include “face geometry” in their definition of biometric identifiers, the state of Washington does not.

Overlooking certain specifics like these could get one in trouble when complying with different regulations.

Importance of Understanding Biometric Laws

Biometric data is typically highly sensitive information, and it needs comprehensive regulations for proper governance. In the US, there is no single federal law governing biometric data and what we have is a few laws and regulations at the state level. However, the way of regulating biometric data fluctuates from one state to another.

While some states have included biometric data in the law governing personal data, some states like Illinois, Washington, and Texas have specific laws that focus on biometric data.

In January 2021, New York and Maryland introduced the ‘New York Biometric Privacy Act’ and the ‘Maryland Biometric Identifiers and Biometric Information Privacy Act,' respectively. Like BIPA, both these legislations provide a private right of action, a penalty of $1,000 per negligent violation and $5,000 per intentional violation, and attorney’s fees. All in all, such provisions could be appealing to class action litigants.

Facebook has been under a class-action lawsuit by Illinois residents claiming that the company subjected the plaintiffs to a facial recognition technology in violation of BIPA. Facebook lost its appeal in the 9th Circuit, and the court affirmed the class certification order. The court concluded that procedural violations of BIPA were sufficient for an individual to have the standing to sue.

For businesses operating in more than one state, the problem lies in the manner in which these states approach biometric data. Such companies will find it challenging to keep track of the various laws to comply with and the revisions they go through.

Organizations need to have an exhaustive system that can help them navigate through existing statutes while also ensuring they stay prepared for any upcoming regulations.