What is biometric data? States, FTC have new ideas

In the face of sparse state legislation on biometric data, the Federal Trade Commission last week voted to adopt a policy statement about the usage of consumer biometric data by companies. While citing concerns about privacy, data security and the potential for bias and discrimination, the statement also stands as the first formal position from the federal government on what it will consider as a biometric identifier.

Through its definitions of protected data, the statement affirms much of the regulation contained in the “gold standard” of biometric data laws: 2008’s Illinois Biometric Information Privacy Act, or BIPA. Not only was it the first state-level biometric privacy law, it’s also been touted by privacy experts as the most effective and enforceable law with its private right of action that allows individuals to bring action against companies found violating it.

Several other states, such as Maine, are attempting to follow Illinois by passing their own BIPAs this year, but Washington state’s My Health, My Data Act, which passed last month, is a contender for that leading spot in state-level biometric regulation. While it primarily covers data related to consumer health, its broad definitions of protected data include biometrics, and it also features a private right of action.

Privacy experts told StateScoop that BIPA-style pieces of legislation and Washington’s My Health, My Data act are more effective in protecting consumer privacy because they include broader definitions of protected data and they’re enforceable. And when compared to the leading comprehensive privacy laws, like the Virginia Consumer Data Protection Act, narrow definitions of protected data can create loopholes that still allow for biometric data to be collected and stored with little or no regulation.

A new definition

Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, told StateScoop that the statement the FTC published last Thursday is one of the most detailed policy statements he’s ever seen from the commission with respect to biometrics.

“It’s not so much focused on particular technologies or purposes, it’s more focused on sort of how a company should go about notifying people about the use of biometric technologies,” he said.

In addition to laying out what practices the commission might begin considering as potential violations of Section 5 of the Federal Trade Commission Act — which covers unfair or deceptive commercial practices — the statement also clarifies the definition of biometric data to include data derived from images.

“Biometric information also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived,” the statement reads.

This means that even a photograph of a person’s face, and the data that can be extracted from it, counts as biometric data.

Maine lawmakers last month introduced their own version of BIPA, modeled on the Illinois law. It defines biometric identifiers similarly to the FTC, by including in its definition information generated or collected from photographs or video.

The Washington example

Washington state’s My Health, My Data Act draws parallels with legislation in Illinois and Maine, as well as the FTC’s statement. It broadly defines biometric data as “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template can be extracted; or keystroke patterns or rhythms and gait patterns or rhythms that contain identifying information.”

Along with being the first health-data-specific privacy law, My Health, My Data also fills a gap in the Washington Biometric Privacy Act by expanding the state’s definition of biometric data, which includes images.

“It’s hard to overstate the impact of the My Health, My Data Act, because it is an entirely opt-in regime that sort of requires consent for anything, and it has very strong, very broad definitions of covered data, including its biometric definitions, but also anything that might be considered health-related,” Zweifel-Keegan said.

Washington’s law also includes a private right of action. State Rep. Vandana Slatter, one of the act’s main architects, said that was important to include in light of the U.S. Supreme Court’s decision to overturn Roe v. Wade last year. Her aim was to shield data related to reproductive health from law enforcement investigations launched by other states that have outlawed or severely curtailed abortion access.

She said that under the previous biometric privacy regulations, the attorney general required an unspecified number of complaints against a private company before taking civil action against it.

“And if you think about it, you shouldn’t have to wait for 200 or 20, or however many people to be harmed before you can actually take action on something that potentially caused you harm,” Slatter said.

Not really ‘comprehensive’

The definition of biometric information that includes data derived from images found in the FTC’s statement, the BIPA legislation and the My Health, My Data Act all stand in contrast to Virginia’s privacy law, which is canonically referred to as a “comprehensive” consumer data privacy law. It has served as a model for other states, including Tennessee.

The Virginia law went into effect Jan. 1, and while it protects biometric data taken directly from a person, such as fingerprints and retinal scans, it exempts biometric data derived from a photograph or video of that person – which Chad Marlow, senior counsel of the American Civil Liberties Union, points out is where biometric data like faceprints normally comes from.

“Privacy professionals like myself, and pretty much anyone else in the field, can immediately read these laws and see all their weaknesses,” Marlow said of the comprehensive-style laws. “They’re incredibly weak laws. And not only are they weak, but the laws don’t even have private rights of action. So they’re like, not only are we passing weak laws, but you can’t even sue on those weak laws.”

He said this carve out will still allow larger companies to collect biometric data. Washington’s Slatter said that she also recognized the weakness in some of the comprehensive bills, and, for the My Health, My Data Act, she strengthened protections often found in these types of broad legislation by adding more-specific definitions of protected data.

“So when you look at a comprehensive data privacy bill, generally, there’s a space or a place in these bills that refer to sensitive health data,” she said. “Maybe it’s legal data, immigration data, your Social Security number, or your age, or even your health data. And there’s sort of a separate kind of protection level in a comprehensive data privacy, but it isn’t just that you like purple hiking boots or something like that, right?”

And Zweifel-Keegan of IAPP said that even though Washington state’s law only applies to health data, its broader definition of biometric data signals companies outside of the state need to take biometric privacy more seriously.

“In the biometric space, and even in health data more broadly,” he said, “it’s just clear that these things are becoming more protected, that companies need to be treating them as sensitive data, doing the things that we’ve always said need to be done with sensitive data and maybe some new things as well.”