A recent policy statement from the Federal Trade Commission on the collection of biometric information, such as fingerprints and retina scans, will put a national spotlight on the issue, which will likely lead to more litigation and regulatory action, experts say.
Previously, the focus of biometric liability concerns has largely been confined to exposures in Illinois, where the state’s 2008 Biometric Information Privacy Act has led to thousands of lawsuits against businesses and two state Supreme Court decisions.
Other states including Washington and Texas as well as cities such as New York, Baltimore and Portland, Oregon, have enacted biometric legislation, but the Illinois law, which permits a private right of action, remains the most stringent.
The policy statement issued by the FTC last month says the collection and use of biometric information may violate Section 5 of the Federal Trade Commission Act, which bars unfair and deceptive acts and practices that affect commerce, and that it plans to scrutinize its use.
The FTC said the increased use of biometric information by companies raises significant consumer privacy and data concerns and creates the potential for bias and discrimination.
Observers say the statement extends what is considered biometric information beyond the parameters of BIPA to include, for instance, photos, which are explicitly not considered biometric under the Illinois law.
“It’s a useful document,” said Fredric D. Bellamy, a member of Dickinson Wright PLLC in Phoenix. The gist of it is to tell businesses to think harder about whether and how to use biometric data, he said.
Observers say they are worried, however, about what the policy statement means for employers.
The FTC is concerned with a broader set of biometrics than BIPA, which focuses on adequate releases or waivers and primarily warns about false claims associated with the unfair use of the information, said David E. Morrison, a principal with Goldberg Kohn Ltd. in Chicago.
The agency’s interest in the issue may lead to more robust enforcement actions throughout the United States, he said.
Kirk J. Nahra, co-chair, big data practice, with Wilmer Cutler Pickering Hale and Dorr LLP in Washington, said in comparable situations where the agency has released policy statements, the FTC has subsequently issued notices of settlements.
After about 50 uncontested such cases, the agency will say “That’s the law,” and when challenged courts will essentially agree, he said.
Justin O. Kay, a partner with Faegre Drinker Biddle & Reath LLP in Chicago, said he is concerned about the ambiguity the policy introduces into compliance, pointing to its statement about requiring a “holistic assessment” of biometric data’s impact and functionality before its deployment.
The statement could open the door to new theories of what is unfair or deceptive in the collection and use of biometric data, he said.
Experts recommend approaching the issue of using biometric information cautiously.
Companies have an ongoing obligation to examine data collection processes and mitigate any potential risk, said Cobun Zweifel-Keegan, managing director of the Portsmouth, New Hampshire-based International Association of Privacy Professionals.
The first step is to “see if you really need” the biometric data and, if so, be sure any statements made “are absolutely true,” said Jenny L. Colgate, a member of Rothwell, Figg, Ernst & Manbeck P.C. in Washington.
Companies should be sure they have documentation on the claims they are marketing about technology designed to collect biometric data, said Tatiana Rice, senior counsel at think tank The Future of Privacy Forum in Washington.