THE FACE-ID REVOLUTION: THE BALANCE BETWEEN PRO-MARKET AND PRO-CONSUMER BIOMETRIC PRIVACY REGULATION.

• Author: Wong, Kelly A.

1. Introduction

   Imagine a world where a customer can pay for an ice cream cone simply by the measurement of their facial features. (1) With the recent advances in facial recognition technology, such a novel concept may soon become reality. (2) Facial feature recognition is a facet within the umbrella of biometric data, the most unique and unalterable information that one can tender to another. (3) The National Institute of Standards and Technology ("NIST") defines biometric data as the measurement of innate physiological characteristics such as fingerprints, the iris, or facial features, used for the identification of a specific individual. (4) But the world of biometric data is not limited to solely physiological characteristics, as biometric data can also encompass behavioral characteristics, such as the measurement of human behavioral patterns. (5) As emerging technology continues to employ biometric data as a security feature, the unchangeable nature of our biometrics render these privacy features far different from a traditional, written password. (6) Because of this rapid development and the heightened sensitivity of our biometric data, it is necessary for federal regulations to evolve as well in a way that adequately protects consumer privacy. (7)

   This Note addresses the need for a uniform federal regulation concerning biometric data, in light of the increased use of this technology in commonplace consumer products. The European Union's General Data Protection Regulation ("GDPR") Privacy by Design mandate in conjunction with current state biometric laws and the proposed Commercial Facial Recognition Privacy Act of 2019 could serve as a desirable blueprint for the federal regulation of biometric data. Biometric data's immutable nature heightens the consequences of misappropriation, thus increasing the likelihood for a consumer to be harmed by privacy breach. Where corporations are obliged to store and protect this sensitive data, measures should be taken to appropriately hold them accountable in the event they do not. Part II of this Note introduces the backdrop of biometric data identification and authorization, and discusses the current legal framework surrounding it, which exists solely as state law. Part III of this Note addresses three significant cases that are shaping the manner in which the recent laws concerning biometric privacy law are being interpreted in Illinois. Part III also addresses the Commercial Facial Recognition Privacy Act of 2019 and Privacy by Design. Finally, Part IV analyzes the current biometric regulatory framework and proposes a solution for a more effective federal regulatory system.

2. History

   1. Biometric Data

      You cannot see your own face, but each time you look in the mirror, your brain collects and stores biometric information to allow you to remember what you look like. (8) At the most basic level, biometric technology works in the same way by measuring the thousands of unique characteristics of an individual's face and recording the information for later use. (9) Although the use of biometrics may seem futuristic, some research suggests that the process of identifying people through physiological and behavioral characteristics dates back to nearly 31,000 years. (10) In 1858, handprints were first recorded to distinguish employees from one another. (11) Throughout the remainder of the 1800s, the scope of biometric data extended to other areas of anthropometrics, the study of the body's measurement and capabilities. (12) This subsequently led to the creation of fingerprint classification systems as humans, while each having a unique fingerprint, share similar anthropometric information. (13) In 1986, a patent was granted for the notion that the iris could be used for biometric identification purposes, with a second patent awarded for the first iris recognition algorithm in 1994. (14) All of the aforementioned events have in some manner paved the way for the collection of biometric data in the consumer market through the Apple iPhone. (15)

      As society continues to incorporate biometrics, it is important to recognize the difference between biometric identification and biometric authorization. (16) Biometric identifiers are used to identify "who you are". (17) Examples of biometric identifiers include, but are not limited to, fingerprints, vein patterns, iris features, and voice or face patterns. (18) Thus, biometric identification can succinctly be described as using an individual's biometric identifier to match the identifier with that specific individual within a database of biometric identifiers compiled from multiple individuals. (19) In contrast, biometric authentication is used to prove "who you are" through the use of a biometric identifier. (20) For example, when the biometric system is the sole authenticator, the biometric identifier is placed against a database containing your biometric data, ensuring that your biometric identifier matches the database's stored information. (21) Today, the most commonly used types of biometric authentication technologies include retina scans, iris recognition, finger scanning, finger vein ID, facial recognition, and voice identification. (22)

   2. Biometric Data in Consumer Products and Services

      The use of current authentication methods such as passwords will most likely become obsolete in the near future because of the ubiquity of biometric technology. (23) Although biometrics have been around for a while, companies like Apple and Samsung are striving to implement biometric authentication into their products to prevent hackers from accessing an individual's personal information. (24)

      Nonetheless, companies are not only using biometrics for authentication and security reasons, biometrics present an unparalleled opportunity for companies to collect a consumer's distinctive data for marketing purposes. (25) Given the ever-growing presence of biometrics in the lives of individuals, there must be effective regulation that governs the security of these systems and allows consumers the freedom to control their privacy.

   3. The Federal Trade Commission and Biometrics

      Data privacy law is an emerging area of law that lacks standardized federal regulation in the collection and use of personal data. (26) However, there are some significant federal privacy laws that regulate the collection and use of data. (27) The Federal Trade Commission Act ("FTC"), the Gramm-Leach-Bliley Act ("GLBA"), and the Health Insurance Portability and Accountability Act ("HIPAA") are among the most impactful. (28) The common thread of all of these data privacy regulations is that they follow the Fair Information Practices ("FlPs") which promulgates a set of principles for information privacy through a notice and consent model. (29)

      Congress enacted the FTC to protect consumers in the marketplace and to promote competition. (30) In the context of data and privacy protection, the FTC has the power to bring an enforcement action against companies who have engaged in unfair or deceptive practices such as non-compliance with privacy policies and unauthorized disclosure of personal data. (31) Although the FTC does not regulate biometric data, it has promulgated a list of best practices when collecting and storing an individual's biometric data. (32) The FTC analyzed three hypothetical case studies to exemplify how these best practices would be implemented in the real world as an effort to educate companies in being responsible when using biometric technology. (33) Nonetheless, the FTC does not currently have the power to enforce its best practices or regulate biometric data.

   4. State Biometric Law

      While Congress has yet to enact any federal regulation concerning the protection and use of biometrics, a few states have taken initiative on the issue. (34) Illinois, Texas, and Washington are leading this needed movement. (35) The strongest of these legislations is the Illinois Biometric Privacy Act. (36)

      1. Illinois BIPA

         In 2008, Illinois passed the Biometric Information Privacy Act ("Illinois BIPA") which includes regulations for the collection and use of biometric data. (37) The legislative intent underpinning the Illinois BIPA is the acknowledgement of the unparalleled distinctiveness of biometrics; but more so, the imperativeness to protect the individual from misappropriation. (38) Under the Illinois BIPA, a biometric identifier is defined to include a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. (39) on the contrary, any information used to identify an individual by means of an individual's biometric identifier is defined as biometric information. (40) The terms confidential and sensitive information, private entity, and written release are also defined in the Illinois BIPA. (41)

         Section 15 of the Illinois BIPA outlines the proper retention, collection, disclosure, and destruction of biometric identifiers and biometric information. (42) More specifically, there is a requirement of notice and guidelines regarding the manner in which it must be given to an individual before a private entity collects an individual's biometric identifier or information. (43) With respect to the disclosure of an individual's biometric information or identifier, there are limits as to when this sensitive information can be disseminated and BIPA discourages private entities from profiting off of an individual's biometric information or identifier. (44) Moreover, an entity in possession of biometric identifiers and information must adhere to reasonable standards while being in control of this information. (45)

         A notable aspect of the Illinois BIPA is that it provides individuals with a private right of action. (46) In the event of a violation of the Illinois BIPA, the statute sets forth the amount of damages that an aggrieved party is entitled to. (47) Not only does the statute provide individuals with the opportunity to collect liquidated or actual...