Biometric identifiers—including facial structure, fingerprints, voiceprints, and even keystroke patterns—are being collected in excess across many public and private situations. For example, the government's use of facial recognition technology has been prohibited by cities such as San Francisco. However, private companies have easily bypassed these prohibitions by changing the ways they refer to biometric data and by using contractors to implement it. Instead of calling it "biometric data," companies now refer to it as "behavioral analytics" or "customer engagement metrics", and allow raw biometric collection to be outsourced to a third-party vendor that is outside of the local restrictions on collecting biometric information.
This creates a booming underground market for repackaged, analyzed, and sold consumers' physical identities, sometimes even without their consent. Most consumers are entirely unaware of how deeply their biometric identifiers are being utilized because it is rarely explained, if at all, in privacy policies and/or privacy disclosures.
Why does this Legal Gap Persist?
The U.S. does not have a federal statute governing biometric data privacy; as such, protections are highly decentralized. The Illinois Biometric Information Privacy Act (BIPA) is one of the strictest in the country, allowing individuals to sue entities for unauthorized use of their biometrics, with statutory damages as high as $5,000 per incident [1]. Since the law was passed in 2008, BIPA has prompted over 200 lawsuits, illustrating that it has some teeth. In contrast to these relatively strong protections, many states, including Texas and Florida, are fairly lenient, and no law prevents indefinite retention and monetization of biometric data, which generally has little accountability.
In many instances, companies will assert that biometric data is "anonymized" or "de-identified." However, independent research from MIT’s Data Privacy Lab indicates that there are methods to re-identify over 95% of anonymized biometric datasets using only publicly available data, putting consumers at risk of violating privacy and potentially exposing them to misuse opportunities [2].
The High Stakes Involved in a Breach of Biometric Data
Biometric identifiers, unlike passwords or credit card numbers, are immutable; once compromised, they can never be reset or changed. Data breaches have already disclosed millions of biometric records, including the Equifax breach in 2017, in which the financial and biometric data of 147 million Americans were compromised [3]. Cybercriminals have used stolen voiceprints to perpetrate complicated forms of phone fraud, and facial recognition databases show up regularly in dark net markets.
The permanence of biometric identifiers increases the risks of identity theft, unauthorized surveillance, and discriminatory profiling, prompting calls for immediate reforms.
The Stalemate in Federal Legislation
Despite congressional attempts to address the potential for federal biometric privacy legislation, which includes the National Biometric Privacy Act, efforts have been derailed amid a flood of lobbying efforts from technology and retail businesses. Proponents of the industry have claimed that regulation of this type would "stifle innovation" and "kill jobs" [4]. However, privacy advocates continue to assert that without enforceable federal standards, the current unregulated and commodified commercial market norms in the biometric field will continue to flourish, and human aspects of identity will be commodified with no ethical standards in place.
The Federal Trade Commission has issued warnings and pursued enforcement actions; however, it has limited power without a strong federal statute [5]. Until such protections are implemented, consumers need to stay aware, remain alert to the assumption that data is always being collected through biometrics, and do not share data when it is possible to do so.
The Future of Biometric Data
As the biometric data revolution creates possibilities and dilemmas, the absence of comprehensive privacy laws leaves vulnerable people helpless as they risk a permanent loss of control over their most essential identifiers. Absent legislative reform, biometric information may become a permanent commodity in the market, taken from individuals in silence and sold to a broad swath of businesses.
References:
[1] Illinois Biometric Information Privacy Act, 740 ILCS 14 (2008)
[2] MIT Data Privacy Lab, “Re-identification Risks in Anonymized Datasets,” 2023
[3] U.S. Government Accountability Office, “Equifax Data Breach Report,” 2018
[4] Wired, “How Tech Lobbyists Stall Biometric Privacy Reform,” 2024, https://www.wired.com/story/facial-recognition-loophole-retailers/
[5] Federal Trade Commission, “Biometric Information and Privacy Enforcement,” June 2023, https://www.ftc.gov/advice-guidance/blog/2023/06/biometric-information-privacy-and-ftc-act
[6] Image Source: https://datafloq.com/read/selling-biometric-data-as-big-data/