These are exciting times for biometrics, with the authentication method(s) moving into the mainstream. But a biometric backlash is underway — and, it seems, a backlash to the backlash, at least in one sense.
You’ve likely heard the news out of San Francisco.
That city recently become the first major U.S. city to enact a ban on facial recognition technology (another vote is needed to make the ban final, but it seems all but certain, given the 8-1 vote by the city’s Board of Supervisors in favor of the ban). The ban does not apply to consumers, but only for use of facial recognition technology by city workers. The rule also calls on city agencies to submit their surveillance technology policies so the public can review them. San Francisco lawmakers in favor of the ban cited privacy and civil rights concerns.
Indeed, privacy advocates and civil rights group, as well as Microsoft, have called for the government to regulate the technology. Earlier this year Microsoft CEO Satya Nadella said during the World Economic Forum in Davos that he supports regulation of the technology. He said at the time that as the use of facial recognition technology grows, self-regulation may not go far enough to contend with the impact it may have on society.
Biometric Law Evolves
Biometric case law is advancing as the technology gains more mainstream use, including from the likes of Google and Facebook.
The Illinois Biometric Information Privacy Act, commonly known as BIPA, not only stands as the strictest biometric privacy law in the U.S., but also serves as the model for other laws that have been crafted or are being considered by other states (much as Europe’s GDPR has sparked other data privacy efforts around the world). There exists no similar federal law in the U.S.
The Illinois law requires that companies collecting biometric information like iris and facial scans or fingerprint data get prior consent from individuals. Companies also have to let people know how they’re going to use the data and the length of time the records will stay in their possession.
Illinois is not the only place where precedent and practices are being established for biometric law, and not the only state where companies in the business of biometric authentication, payments and commerce should focus their attention. Two U.S. senators — Missouri Republican Roy Blunt and Hawaiian Democrat Brian Schatz — have introduced legislation that would prevent businesses from collecting and using facial recognition data without the consent of consumers.
But there is a backlash to the backlash brewing, at least in a general sense. It stems from California, and though its focus is that state’s GDPR-like privacy law, it’s not difficult to see how it will encompass biometric authentication, given how closely related the two issues are.
According to a recent report from Wired, “the California Assembly’s Committee on Privacy and Consumer Protection [has] advanced a series of bills that would either amend CCPA or carve out exemptions for certain categories of businesses. These bills received widespread backing from business groups, including the California Chamber of Commerce, as well as leading tech lobbying firms that represent the likes of Facebook, Google, Amazon, and Apple.”
Those proposed bills, the report said, “aim to make the law easier for businesses to comply with and less disruptive to their operations — even if that means giving them more control over people’s data than privacy advocates would like.”
That could impact not only biometrics — at least one proposed bill involved in this larger backlash would carve out privacy exceptions for loyalty cards. Under the California privacy law, “businesses wouldn’t be able to charge higher prices or offer different services to customers who opt out of having their data collected or sold. Known as the nondiscrimination provision, this is supposed to prevent companies from penalizing people who exercise their privacy rights,” the report said. One of the proposed bills would change that.
As both biometric authentication technology and data privacy concerns advance, you can bet on more such efforts as the law around those issues — already so closely linked — continues to evolve.