BIOMETRIC DATA COLLECTION AND USE IN THE AGE OF SOCIAL MEDIA: THE INCREASING NEED FOR COPPA UPDATES GIVEN THE DECREASING AGE OF INTERNET USERS.

• Author: Allen, Elena

1. INTRODUCTION 370 II. WHAT IS BIOMETRIC DATA? 372 III. DATA SECURITY ISSUES INVOLVED WITH BIOMETRIC DATA COLLECTION 374 IV. HOW DO SOCIAL MEDIA SITES USE AND COLLECT BIOMETRIC DATA? 377 A. TikTok 377 B. Facebook 380 C. Instagram 382 D. A Note on Clickwrap Agreements 382 V. THE DECREASING AGE OF SOCIAL MEDIA USERS & LACK OF PARENTAL AWARENESS 384 A. Decreasing Age of Social Media Users 384 B. Children's Online Protection Privacy Protection Act 386 C. Lack of Parental Awareness 387 VI. CURRENT LAWS AND LITIGATION 388 A. Illinois Biometric Information Privacy Act 388 B. Texas 390 C. Washington 391 D. Oregon 392 E. New York 392 F. Statutes Proposed in Other States 393 G. Biometric Data Privacy Litigation 394 VII. INADEQUACY AND POTENTIAL REMEDIES 396 A. Why COPPA Needs Updating 396 B. Updating COPPA's Definition of "Personal Information" 398 C. Updating COPPA's Age of Protection 399 D. Removing the "Actual Knowledge" Requirement 400 E. The Need for Federal Rather than State Legislation 400 VIII. CONCLUSION 401 I. INTRODUCTION

   As of 2021, there are 4.66 billion people using the Internet globally. (1) Almost 90% of these users are on social media. (2) There are 2.7 billion active users on Facebook, over 1 billion active users on Instagram, and TikTok is estimated to surpass 1.2 billion users this year. (3) Children as young as 7 are active users on these sites. (4) There is a growing conversation around when a child is at an appropriate age to use the internet and what the implications are of such young children having access to social media sites. (5) Children this young using social media sites pose a dangerous threat; children are unaware of the information they are sharing and how it may be used, and by whom. (6) This demographic is already using social media; there needs to be an update in current laws to protect children online regarding the sharing and collection of their biometric data. Currently, the Children's Online Privacy Protection Act (COPPA) provides protections for children online; including requiring sites to have parental controls, although only 17% of parents use parental controls online. (7) COPPA protects children under 13 online and deals with collecting information from kids and advertising to them; but it does not do enough, especially with emerging technologies, like the uptick in biometric data collection. (8) Although this sounds like science fiction, a la the emotion tracking telescreens in George Orwell's dystopian novels, it is a very real technology. (9)

   The increased use of biometric data on and off social media poses many risks. (10) Smartphones now come standard with technology that collects and interprets biometric data such as location, movement, facial recognition, fingerprint and retina scanning. (11) Social media sites collect and interpret this information for security, authentication, and user recognition. (12) However, issues of privacy, profit, and misuse of this data, accompany these benefits. (13) Unlike common collectable data, such as passwords or other-user generated information, which can be changed by the user at any time, biometric data, is immutable; you can't change your fingerprint or the look of the iris of your eye, both biometrics. (14) This data is inherently linked to someone's personhood, as it is a biological component of who they are. Because the current biometric data laws are a work in progress, this leaves the most vulnerable population on the internet, kids, generally unprotected from such vital data from being collected and misused. The lack of an across the board, federal law regulating biometric data collection and use, and the failure for the general public to understand the dangers of the mishandling of this sensitive information leads to an even more increased risk for children's online safety.

   This Note seeks to understand the intersection of biometric data and social media within the scope of young children using these sites and the danger this poses to them. There needs to be greater understanding of the risks users take on as a result of ineffective consent and terms of service and the dangers of the lack of understanding surrounding biometric data use and collection. First, this Note will provide an explanation of what biometric data is. Then, a discussion on how social media sites use and collect this data from its users. Next, a discussion on data security issues related to this biometric data use and collection. Next, a discussion on the decreasing age of Internet users and the issue of general unawareness by parents. Then, this Note will discuss what laws currently exist to combat and control the use and misuse of biometric data and how they fall short of the protections needed to ensure kids are safe online. Finally, this Note will conclude with a discussion on potential remedies that include more strict consent laws such as updating COPPA to include more children, as well as updating the definitions within the law to explicitly cover biometric information, more parental involvement, and explicit terms of service to ensure user security.

2. WHAT IS BIOMETRIC DATA?

   Biometrics are metrics related to human features, their biology, used to verify someone's identity. (15) Biometric data can also be defined as a "[p]hysiological or biological characteristic that is used by or on behalf of a commercial establishment to identify or assist in identifying an individual." (16) Rather than a physical document such as a driver's license or a passport, a person can be identified biometrically in several ways. The most commonly used biometric identifiers are facial recognition, iris recognition, fingerprint scanning, and voice recognition. (17)

   Even just a decade ago this technology was seen as Hollywood movie magic. In 2013, Apple introduced its first smartphone with a fingerprint scanner which led to almost every smartphone coming standard with a fingerprint scanner, face scanners, and even retina scanners. (18) The average person with a smartphone uses biometric data every day, from unlocking their phone with facial recognition, to asking Siri a question with their unique voice; or by simply logging onto their online banking app using their fingerprint. (19) This data is stored within the device; each device or site holds the biometrics in a bank, i.e., a face bank, or voice bank, or bank of fingerprint data. (20) When a user engages their biometric identifier, the "live" information is compared to the stored information to ensure that it matches that unique user, thus granting access to the device or site. (21)

   A jump occurred from simple smartphone integration to large companies, social media sites, and government agencies collecting and using this data. (22) Police use biometric data in the form of DNA and fingerprints in solving crimes, medical professionals may use retina scans and genetic tests to improve patient care, and even credit card companies are testing the use of a fingerprint authentication system in lieu of the tradition PIN number to confirm a user's identity. (23) Biometrics are always evolving. As recent as the global COVID-19 pandemic, different aspects of biometric identification were thrust into the minds of the global population with contact tracing and temperature scanning becoming a regular activity throughout 2020 and 2021. (24)

3. DATA SECURITY ISSUES INVOLVED WITH BIOMETRIC DATA COLLECTION

   The personalization of biometric data can be a double-edged sword regarding its security potential. The highly personalized nature of the data makes it more secure for the user; however, this personalization can lead to very negative consequences if this data falls into the wrong hands, as it is not able to be changed, like a compromised password.

   Prior to the use of biometric data, many internet sites and technologies used passwords as their form of identification. (25) This secretive online lock and key system was previously effective; however, due to the increased sophistication and exploitative nature of password hackers, biometrics are now seen as a more secure option. (26) Biometric data can be more secure than a regular password because it is impossible to forget; "... biometrics utilizes each individual's unique biological key." (27) There are the other added bonuses of this data always being accessible, as you cannot leave home without an integral part of yourself, and in the same vain, this information is always consistent and impossible to replicate; unlike a common password or PIN, this information does not change and is highly unique to the user. (28)

   Alongside the increased security of using biometric identifiers comes great risk. One issue is that the data being collected is often happening in the background and goes unnoticed by users. (29) Users become complacent with security measures regarding their biometric data because the use of them has become so commonplace. (30) Biometric data is forever; unlike names and locations, biometric data does not change, so once it is compromised, it is completely outside the user's control and can lead to some devastating consequences including hacking and identity theft. (31) In 2015, over 5.6 million fingerprint records were stolen through a hack occurring on the White House's Office of Personnel Management. (32) Multiple government agencies were involved in assessing the risk to those whose information was compromised, noting "[i]t is easy to get a new password, pin or credit card... but it's... harder to get new fingers." (33) Again, in 2019, over 1 million people's biometric data was compromised including their fingerprints and facial recognition information. (34) An Israeli based security research group tasked with finding holes in companies' data security found this data unprotected and vulnerable to cyber-attacks. (35) Researchers point out that these weaknesses are common and they contact multiple companies weekly with similar security concerns with the...