AN ANALYSIS ON BIOMETRIC PRIVACY DATA REGULATION: A PIVOT TOWARDS LEGISLATION WHICH SUPPORTS THE INDIVIDUAL CONSUMER'S PRIVACY RIGHTS IN SPITE OF CORPORATE PROTECTIONS.

• Author: Llaneza, Carla

1. INTRODUCTION

   The ways in which the silhouette of an individual's face grants access to a cell phone, or the simple touch of a fingerprint, allow citizens to clear airport security customs, are examples of the power of biometric data and the impact it continues to have on daily American life. (1) Although there are several advantages that this budding technological advancement has brought to individuals, business corporations, and government agencies, the individualized consumer is not aware of the ways in which this data is used and disseminated. (2) Data privacy is one of the most pressing societal issues today, with American consumers calling on business corporations and lawmakers to address the issue. (3) It can be determined that this desire for more protection over personal private data will only continue to grow stronger as private companies further garner strategies in retrieval of sensitive information for profit. (4) Over the last sixteen years, private entities in the United States have gained access to a wealth of consumers' sensitive behavioral and physical information through the use of biometric data. (5) Biometrics data is "the measurement and statistical analysis of people's unique physical and behavioral characteristics." (6) Examples of biometric measures include fingerprints, facial recognition, iris recognition, and DNA matching. (7) Statistics show that the use of these biometric measures such as fingerprints, iris detection, and facial recognition software has gained significant traction for identification purposes in several different fields. (8) This type of information is used by government agencies, businesses, hospitals, banks, and even retail services to gain access to a person's identity; in addition, these companies use the identifiers to improve business functionality and efficiency. (9) However, because biometric identifiers are unique to each individual, this means that unlike a username and password combination, if a person's biometric identifiers are compromised, they cannot be changed. (10)

   Although biometric information serves as a crucial tool for both businesses and individuals alike, legislation that would protect the consumer from potential abuse by corporations, in the form of a data breach, has yet to be decided on a federal level. (11) There have been a few pieces of state legislature which have been passed in recent years which overwhelmingly seem to provide consumers with the ability to have power over their private data. However, the majority of those laws seem to favor the rights of the business corporation and not of the consumer. (12) But there should be regulation available to consumers in the United States emulating the European Union's leading law on internet privacy known as the General Data Protection Regulation (the "GDPR"), and more specifically focusing on the "Right to be Forgotten." (13)

   This Comment will address the different ways in which biometric data has become an integral part of everyday American life, whether it be through the use of facial recognition for national security or the use of fingerprinting to access an individual's smartphone. (14) Part II will further discuss how biometric data privacy legislation, specifically as set out in the Biometric Illinois Privacy Act ("BIPA"), has become prominent and will analyze its effects on the legal rights of consumers to bring suit against private entities. (15) Part III will discuss the present solutions available to consumers who fall victim to companies who distribute consumer's information. (16) Further, Part IV will compare these solutions to the European Union's regulation known as the "Right to be Forgotten". (17)

   Finally, Part V will discuss the solutions to biometric privacy data breaches by proposing federal legislation similar to the already established state law private causes of action for the aggrieved, as well as giving the individual the option to participate in complete data wiping, similar to that which is done in the European Union. (18)

2. BACKGROUND

   1. THE BIOMETRIC ILLINOIS PRIVACY DATA ACT

   In October 2008, BIPA was passed by the State of Illinois and since then has created a platform for the future of data privacy litigation and legislation. (19) BIPA became the first law in the United States to protect individual privacy data and since its inception, has given rise to hundreds of class action law suits. (20) The Act prohibits any private entity in possession of biometric identifier or biometric information to "sell, lease, trade[,] or otherwise profit from a person's or customer's biometric identifier or biometric information." (21)

   It can be argued that the most notable protection BIPA provides is the protection of the individual consumer from corporations who benefit from the collection of their biometric identifiers. (22) Although there are other state laws that have followed in BIPA's footsteps, BIPA is the only act which provides individual consumers with a private right of action by allowing any person who has been aggrieved by either a private entity or an individual to sue for up to "$1000 for each negligent violation of the act and $5000 for each intentional or reckless violation." (23) In addition, companies or private entities who violate BIPA are liable for attorneys' fees and costs as well as any experts' fees and injunctive relief. (24)

   Although BIPA does not define who would be considered an "aggrieved party," in the seminal case of Rosenbach v. Six Flags Entertainment Corp., the Supreme Court of Illinois settled this uncertainty by holding that once a company fails to comply with any of the requirements as outlined under the Act, the individual would have standing to sue under a BIPA violation. (25) In that case, Six Flags Theme Park in Illinois used a minor's fingerprint to grant him access to the theme park without providing him with information on how long the biometric information would be retained, nor for what purpose the fingerprint would serve now that it was collected by the park. (26) It was thus established that the plaintiffs could recover damages because they were considered "aggrieved parties" once the theme park did not provide them with information on what they had just consented to when they allowed the park to use their fingerprints. (27) Consequently, it was decided on precedence that a person who is "aggrieved" need not suffer actual harm but just needs to find that the company violated the requirements of the Act to be able to recover damages under BIPA. (28)

   BIPA establishes that if private entities or individuals collect biometric identifiers or similar types of information through the use of fingerprints, facial recognition technology, or iris scans, the entities are to provide notice to the individual consumers whose information has been or is about to be used, distributed, or sold. (29) It also requires for the company or private entity that has collected the information to inform the consumer in writing about what they will do with the information that has been collected and for what length of time the information will remain collected before they destroy it, sell it, or otherwise handle the biometrics. (30) Employers who have retained information from their employees using biometric identifiers must provide them with a written policy outlining the ways in which they will dispose of the identifiers no later than three years after the purpose of their collection was met or the person's last interaction with the employer. (31)

3. BIPA'S EFFECT ON INDIVIDUAL STATE LEGISLATURE

   1. BIPA LEADS BIOMETRIC PRIVACY INFORMATION LEGISLATION

      The effect of the BIPA legislation was not seen until a few years after its enactment when several class action lawsuits were filed, namely from employees against employers for using their fingerprints for timekeeping purposes. (32) This legislation has not only put businesses in Illinois who use biometric identifiers to collect information from their employers or other consumers on notice, but has also done the same for private corporations not localized in the state in preparation of the legislation that is being considered across the United States. (33)

      Although Illinois has set the stage for other state legislatures to restrict the use and dissemination of biometric data collected by private corporations, several of the other state's approach to the drafting of their own privacy data acts have lacked the sole component which would provide the ultimate layer of protection for the individual consumer which is creating a private cause of action to sue the companies who tamper with the biometric identifiers. (34)

   2. TEXAS STATUTE ON THE CAPTURE OR USE OF BIOMETRIC IDENTIFIERS

      Texas was the second state to develop its own biometric identifier data privacy act after Illinois and Washington set the stage for consumer protection. (35) The Texas Act, Capture or Use of Biometric Identifiers ("CUBI"), differs from that of Washington and Illinois as it only covers personal information categorized as "biometric identifier." (36) The definition of what would be considered a biometric identifier under CUBI is more specifically targeted to include: "specific types of information including fingerprints, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics used to identify a specific individual." (37) The Texas statute, similarly to BIPA, prohibits companies from capturing information for "commercial purposes" without notice and consent having been sent to the aggrieved party before the capture. (38) CUBI fails to define what would be considered a "commercial purpose," but an example of one would be collecting fingerprints in order to pay employer salaries. (39) Also, unlike BIPA, Texas does not require that there be a written release. (40) The guidelines that would direct employers who retain this information, for timekeeping purposes, for example, are not as defined as...