Legal Matters

Biometric Laws and Privacy

We have all heard the saying that no two fingerprints are alike. And that’s true: even identical twins, who share the exact genetic material, will have different fingerprints. However, we are rarely taught that other aspects of our biology are unique as well. Our physical characteristics—such as our voiceprints, facial measurements, etc.—comprise what experts call our biometric data.

Biometric data is perhaps the most personal form of data because it can only be generated by you. However, because our biometrics are not often viewed as data, many of us have shared this information without realizing the potential consequences. Earlier this year, the Federal Trade Commission issued a warning that “the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for bias and discrimination.” Just as we have observed the proliferation of Generative AI, so too have the past few years seen a rise in biometric information technologies.

One example is close to hand: the privacy protection on your cell phone. On some devices, users have their unlock feature synced to their fingerprint; however, once enabled, this seemingly innocuous protection is transformed into data that your phone carrier collects. Although this form of two-factor identification is the staunchest form of security, the sensitive nature of this data leaves you more vulnerable in case of a breach. This is because, at the moment, the United States does not have any federal laws governing the use or collection of biometric data.

However, there has been some action on the state side. In 2008, Illinois enacted the first biometric data privacy law, and notable cases over the last few years (including one against Facebook) has made it easier to file lawsuits when biometric data has been put at risk. This private right of action is unique to Illinois: five other states currently have comprehensive consumer privacy laws that will govern biometric information, but these are not biometric-specific bills. As we have previously seen, there is a good chance that these privacy laws will continue to be adopted across the country, but that is no guarantee.

This means that individuals need to be vigilant about their biometric data and not needlessly agree to give it away via terms of service or innocuous practices. For example, before setting up two-factor identification via your fingerprint, consider employing tokenization or some other two-step process that does not involve your biometric data. There may come a time when these practices are more protected, but for the moment, consumers should remain vigilant.