Our privacy rights constantly tumble in flux as technology continues to outpace practical legislation concerning data collection and use. Aggregated Information used to, for example, study trends is not the primary issue. Rather, information that contains something an unrelated person can use to identify who it came from is. If I visit a website that tracks details of my visit, I do not expect the website to sell information that alone would allow the buyer to personally identify me without my knowledge or permission. Personal information comes in many forms, but heightened attention is focused on current issues around biometrics.
Biometric identifiers are things like your fingerprint, voiceprint, facial geometry, or iris scan. Biometric information is the information that contains your biometric identifiers. They are unique personal identifiers. Think facial recognition capabilities of Facebook or Shutterfly when people upload photos. This same capability landed both companies in recent litigation for violating an Illinois biometrics privacy law.
With increasing availability of ways to obtain and verify consumer information (say going from gathering my date of birth to gathering my fingerprint or other biometric identifier), companies can implement advanced analytics to recognize and monitor consumers whose information they obtain. Problem is, the more unique my personal information, the more valuable it becomes to me. My finger print is one of the most unique identifiers I possess. My birthday, like everyone else’s in the world, is only one of 365 options. Of course I already know a person who obtains my information, regardless of fault, can cause me harm. To gauge the degree of risk when I share my information, I think of a chart where the more unique my personal information, the more severe the potential harm. People who wrongly access my information can create problems like identity theft, but depending on the information type they may even be able to use it to track my activities and physical location.
Although government’s use of biometrics is not new, prevalence of affordable, accurate applications that businesses can use to gather and analyze the data has gained increasing traction. Now, it is a matter of determining to what extent private sector actors will be obligated to disclose their intentions to consumers to allow for informed consumer consent prior to gathering or using biometric information.
That brings us back to the recent issues Facebook faced in Illinois for violating the state’s 2008 Biometric Information Privacy Act (BIPA) which prohibits collection, use and sale of biometric identifiers absent proper informed consent. Illinois residents filed suit against Facebook for violations of BIPA that have yet to be fully decided. The California courts first had to decide regarding unrelated legal matters like jurisdiction, forum selection and other procedural items. The court decided BIPA applies, but it is still unanswered as to whether Facebook (1) properly informed consumers about the specific use, storage and collection of their biometric data, (2) obtained signed releases from consumers to conduct activities with their biometric data, or (3) sold, traded or disseminated to consumer’s data for profit.
The case against Facebook is just one example of challenges to companies’ over their use of consumer information. As consumers we ideally should own our information, and control how it is used, but the Illinois case shows how the legal framework surrounding ownership, collection, use, and sale specifically of biometric information remains unclear at best.
The difference with Facebook’s facial recognition verse iPhone’s use of fingerprint identification, for comparison, is Apple is not collecting or storing the data. The phone holds the encrypted mathematical mapping of your fingerprint data to help preserve ownership and to avoid unauthorized access from others.
To determine who owns what, including the data that has already been gathered and is stored, legislators need to refine the scope of consumer protection and privacy laws regarding data sharing, storing, collecting, and cross-referencing. Consumers need the ability to make informed consent about the use of their biometric information.
There are substantial benefits to advancing technology surrounding biometric identifiers, which should not be ignored or over inflated when addressing issues of its ownership and use, but the greater the advancement in technology can also lead to a greater risk of biometric data being used improperly.